Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Fix for Prototype Pollution - #38

merged 2 commits into from Nov 14, 2020


Copy link

@huntr-helper huntr-helper commented Oct 9, 2020 has fixed the Prototype Pollution vulnerability 馃敤. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 馃挼. Think you could fix a vulnerability like this?

Get involved at

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README |

User Comments:

馃搳 Metadata *

Bounty URL:

鈿欙笍 Description *

js.merge package is vulnerable to prototype pollution issue

馃捇 Technical Description *

Fixed by adding missing magical attributes, to filter.
- if (key === '__proto__'){
+ if (key === '__proto__' || key === 'constructor' || key === 'prototype'){

馃悰 Proof of Concept (PoC) *

  1. Install the package, run the below code:
var mergelib = require('merge');
var obj = mergelib({}, JSON.parse('{ "testProperty": "hi", "prototype" : { "status" : "pwned!" } }'));

Outputs: pwned.

馃敟 Proof of Fix (PoF) *

After fix prototype.status is undefined

馃憤 User Acceptance Testing (UAT)

After fix functionality is unafected

Copy link

@JamieSlome JamieSlome commented Oct 23, 2020

@yeikos @zeke - let me know if you have any thoughts or questions regarding the fix.

Cheers! 馃嵃

@yeikos yeikos merged commit f571887 into yeikos:master Nov 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants