Prototype Pollution

Vulnerability

The lutils package (all versions) is vulnerable to Prototype Pollution through its main merge function [1][2]. The function performs an unsafe recursive merge of objects without sanitizing special properties such as __proto__, constructor, or prototype. When an attacker-controlled source object contains a property named __proto__ defined via Object.defineProperty(), the merge recurses onto Object.prototype, allowing arbitrary properties to be injected into the global prototype chain [2].

Exploitation

An attacker can exploit this vulnerability by supplying a crafted object to the merge function that includes a __proto__ property with malicious sub-properties. No authentication or special network position is required if the application merges user-supplied data (e.g., JSON payloads, query parameters) into an object. The attack does not require user interaction beyond the application processing the malicious input [2].

Impact

Successful exploitation pollutes Object.prototype, causing all JavaScript objects in the application to inherit the injected properties. This can lead to denial of service (via exceptions or unexpected behavior) or, in many scenarios, remote code execution by altering the application’s code paths [2]. The impact is application-wide and may allow an attacker to execute arbitrary code with the privileges of the vulnerable process.

Mitigation

No patched version of lutils has been released; all versions are affected [1]. As a workaround, developers should avoid using the merge function with untrusted input or replace the package with an alternative that properly sanitizes prototype keys. If the package is no longer maintained, consider migrating to a different library [2].