Client-Side Prototype Pollution
Description
Prototype pollution is a JavaScript vulnerability that allows attackers to inject properties into the Object.prototype, which serves as the base template for nearly all JavaScript objects. When an application uses unsafe functions to merge or copy user-controlled data into objects—particularly through recursive operations—attackers can manipulate the prototype chain. This manipulation affects all objects that inherit from Object.prototype, potentially altering application behavior across the entire codebase and, in severe cases, enabling remote code execution.
Remediation
Implement the following measures to prevent prototype pollution:
1. Use safe object manipulation methods: Replace unsafe merge/extend functions with secure alternatives that explicitly block prototype pollution. Use Object.create(null) to create objects without prototype inheritance, or employ libraries with built-in protections.
2. Validate and sanitize object keys: Reject dangerous property names before merging user input:
function isSafeKey(key) {
return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
}
function safeMerge(target, source) {
for (let key in source) {
if (source.hasOwnProperty(key) && isSafeKey(key)) {
target[key] = source[key];
}
}
return target;
}3. Use Map instead of plain objects: When storing user-controlled keys, prefer Map objects which don't inherit from Object.prototype.
4. Enable Object.freeze(): Freeze Object.prototype in critical applications to prevent modifications, though this may break some libraries.
5. Update dependencies: Ensure all third-party libraries are updated to versions that address known prototype pollution vulnerabilities.