Prototype Pollution

All versions of the package grunt-util-property are vulnerable to Prototype Pollution. The utility's function call can be tricked into adding or modifying properties of Object.prototype by using a __proto__ payload [1]. This is a classic prototype pollution issue common in JavaScript utilities that handle property assignment without proper sanitization.

Exploitation requires the attacker to control the input passed to the vulnerable function. By crafting an object with a __proto__ key, the attacker can pollute the global Object prototype. This attack does not require authentication but relies on the application processing untrusted data through the library [2].

Successful exploitation can lead to denial of service, property injection, or remote code execution depending on how the polluted properties are used by the application. No patch is available as the package appears to be unmaintained; users should avoid using this package or apply strict input validation [3].