Prototype Pollution

Vulnerability

The Proto package (npm package Proto), all versions up to and including 1.0, is vulnerable to prototype pollution through its merge function. The vulnerability is present when the merge function recursively merges objects without sanitizing the __proto__, constructor, or prototype keys [1][2][3]. This allows an attacker to inject properties into the global Object.prototype by crafting a malicious object with a __proto__ property defined via Object.defineProperty() [3]. Any application that uses Proto's merge to combine user-supplied objects is affected [1][2].

Exploitation

An attacker needs to provide a crafted object containing a __proto__ property with the desired prototype payload as the source argument to a merge operation [3]. No authentication or special network position is required if the application merges attacker-controlled data (e.g., from HTTP request bodies, JSON payloads, or configuration files). The merge function recursively traverses the source object; when it encounters a __proto__ property defined as an object using Object.defineProperty(), the condition if property exists and is an object on both the target and the source passes, and the merge recurses onto the prototype of Object, thus polluting the base prototype [3]. Once polluted, all JavaScript objects inherit the injected properties, which can alter application behavior.

Impact

Successful exploitation leads to prototype pollution, which can result in various security impacts depending on the application context [3]. At minimum, the attacker can trigger denial of service by polluting properties that cause JavaScript exceptions [3]. More critically, the pollution may tamper with application logic, forcing the code path to execute attacker-controlled code, potentially leading to remote code execution [1][3]. The attacker can also alter object properties globally, potentially bypassing security checks or modifying default values [3].

Mitigation

As of the publication date of this CVE (September 1, 2021) and the available references, no fixed version has been released for the Proto package. The repository appears unmaintained [2]. The only reliable mitigation is to avoid using Proto's merge function with untrusted input or to switch to an alternative library that does not have this vulnerability [3]. Monitor the Snyk advisory [3] for any future updates. The CVE is not currently listed on CISA's Known Exploited Vulnerabilities catalog.