VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 19, 2026· Updated Jun 19, 2026

flat-to-nested: Prototype pollution in flat-to-nested convert() via __proto__ parent/id key

CVE-2026-55091

Description

Summary

convert() builds the nested tree by using each flat record's id and parent field values directly as object keys, with no guard against __proto__ / constructor / prototype. A record whose parent is the string "__proto__" makes temp[parent] resolve to Object.prototype, and the following initPush(...) writes attacker-controlled data onto the global prototype. Any application that passes attacker-influenced records to convert() is affected, and the base prototype methods stay intact so the pollution is stealthy.

Details

In index.js, convert() (FlatToNested.prototype.convert):

- temp = {} (line 45) and pendingChildOf = {} (line 46) are plain objects, so they inherit from Object.prototype. - For each record, parent = flatEl[this.config.parent] (line 51) is taken verbatim from input. - Line 57: if (temp[parent] !== undefined) — when parent === "__proto__", temp["__proto__"] resolves via the prototype chain to Object.prototype, which is !== undefined, so the branch is taken. - Line 59: initPush(this.config.children, temp[parent], flatEl) → effectively initPush("children", Object.prototype, flatEl). - initPush (lines 4-9): Object.prototype["children"] = [] then Object.prototype["children"].push(flatEl) — **attacker-controlled data is written onto the global Object.prototype.**

There is no sanitization of id / parent anywhere; they flow straight into temp[id], temp[parent], and pendingChildOf[parent] as dynamic keys.

PoC

  const FlatToNested = require('flat-to-nested');

  new FlatToNested().convert([
    { id: 1, parent: '__proto__', polluted: 'PWNED' }
  ]);

  console.log(({}).children); // => [ { id: 1, polluted: 'PWNED' } ]
  A freshly-created, unrelated object {} now carries an attacker-controlled children property. ({}).toString === Object.prototype.toString remains true, so existing methods are untouched (stealthy). If the consumer configures a custom children key, that arbitrary prototype property is polluted instead.

Impact

Prototype pollution (CWE-1321). Any service that builds a tree from attacker-influenced flat records (the package's core purpose — e.g. records derived from a DB/REST/user input) can have Object.prototype polluted. Consequences range from application-logic corruption and denial of service to serving as a gadget toward privilege escalation or RCE depending on downstream sinks. No special privileges or user interaction required; the malicious value is ordinary input data.

Suggested fix

Use prototype-less lookup tables so inherited keys like __proto__ cannot be reached: var temp = Object.create(null); var pendingChildOf = Object.create(null); (Optionally also reject id/parent values equal to __proto__, constructor, or prototype.) Verified: with Object.create(null) for both temp and pendingChildOf, the PoC no longer pollutes Object.prototype and normal nesting output is unchanged. A patch with a regression test is ready.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"The `convert()` method uses `id` and `parent` values from input records directly as object keys on plain `{}` lookup tables, with no guard against `__proto__`, `constructor`, or `prototype`, allowing prototype pollution."

Attack vector

An attacker supplies a flat record where the `parent` field (or `id` field) is set to the string `"__proto__"`. When `convert()` processes this record, `temp["__proto__"]` resolves through the prototype chain to `Object.prototype`, and the subsequent `initPush()` call writes attacker-controlled data (e.g., a `children` array containing the malicious record) onto the global `Object.prototype` [ref_id=1][ref_id=2]. No authentication or special privileges are required; the malicious value is ordinary input data passed to `convert()`. This is a classic prototype pollution vulnerability [CWE-1321].

Affected code

The vulnerability resides in the `convert()` method of `FlatToNested.prototype` in `index.js`. The `temp` and `pendingChildOf` lookup tables were initialized as plain `{}` objects, inheriting from `Object.prototype`. The `id` and `parent` values from input records were used directly as object keys without sanitization, allowing a record with `parent: '__proto__'` to resolve `temp[parent]` to `Object.prototype` and write attacker-controlled data onto the global prototype via `initPush` [ref_id=1][ref_id=2].

What the fix does

The patch changes the initialization of `temp` and `pendingChildOf` from plain `{}` to `Object.create(null)`, creating prototype-less lookup tables [patch_id=6627425]. With `Object.create(null)`, there is no inherited `Object.prototype`, so a key like `"__proto__"` is treated as an ordinary own property rather than resolving to the global prototype. This prevents the `initPush` call from writing onto `Object.prototype` while preserving normal nesting behavior. Regression tests were added to verify that `__proto__` as a parent or id no longer pollutes `Object.prototype` and that correct nesting still works [patch_id=6627425][ref_id=3].

Preconditions

  • inputThe application must pass attacker-influenced flat records to the `convert()` method of the `flat-to-nested` package.
  • authNo authentication or special privileges required; the malicious value is ordinary input data.

Generated on Jun 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.