Prototype Pollution

Vulnerability

The vulnerability affects the JavaScript URL parser in the com.graphhopper:graphhopper-web-bundle package. Versions before 3.2, and from 4.0-pre1 up to but not including 4.0, are susceptible to prototype pollution. The URL parser improperly handles constructor or __proto__ properties in the parsed query string, allowing an attacker to add or modify properties of Object.prototype [1].

Exploitation

An attacker can craft a malicious URL containing a constructor or __proto__ payload. When the GraphHopper web-bundle processes this URL through its client-side parser, the payload is injected into JavaScript object prototypes. This requires no special network position—any vector that delivers the URL to the parser suffices (e.g., a user clicking a link, or a server-side rendering vulnerable to the same code path). No authentication is needed if the parser is exposed to unauthenticated users. The exploit typically relies on unsafe recursive merge or property-by-path assignment patterns in the URL parsing logic [2].

Impact

Successful prototype pollution can lead to several outcomes: denial of service via JavaScript exceptions, or tampering with application source code to force execution along an attacker-controlled code path, potentially leading to remote code execution (RCE) [2]. Because properties on Object.prototype are inherited by all objects, the impact can be widespread within the application.

Mitigation

The vulnerability is fixed in GraphHopper web-bundle version 3.2 and version 4.0. The fix was implemented in pull request #2370, which sanitizes input to avoid prototype pollution [3][4]. Users should upgrade to version 3.2 or later, or to version 4.0 or later. No workarounds are documented in the available references.