Prototype pollution

Last updated June 25, 2025

Prototype pollution is a class of vulnerabilities in JavaScript runtimes that allows attackers to overwrite arbitrary properties in an object's prototype.^[1]^[2]^[3]^[4]^[5]^[6] In a prototype pollution attack, attackers inject properties into existing JavaScript construct prototypes, trying to compromise the application.

References

↑ Li, Song; Kang, Mingqing; Hou, Jianwei; Cao, Yinzhi (2021-08-18). "Detecting Node.js prototype pollution vulnerabilities via object lookup analysis". Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ESEC/FSE 2021. New York, NY, USA: Association for Computing Machinery. pp. 268–279. doi: 10.1145/3468264.3468542 . ISBN 978-1-4503-8562-6.
↑ Kang, Zifeng; Li, Song; Cao, Yinzhi (2022). "Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites". Proceedings 2022 Network and Distributed System Security Symposium. Reston, VA: Internet Society. doi: 10.14722/ndss.2022.24308 . ISBN 978-1-891562-74-7.
↑ Shcherbakov, Mikhail; Balliu, Musard; Staicu, Cristian-Alexandru (2023). "Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js". SEC '23: Proceedings of the 32nd USENIX Conference on Security Symposium: 5521–5538. arXiv: 2207.11171 . ISBN 978-1-939133-37-3.
↑ Cornelissen, Eric; Shcherbakov, Mikhail; Balliu, Musard (2024). "{GHunter}: Universal Prototype Pollution Gadgets in {JavaScript} Runtimes". USENIX Security: 3693–3710. ISBN 978-1-939133-44-1.
↑ Hakim, Ismail Abdurrahman; Widyawan; Mustika, I Wayan; Prasetyo, Eko (2023-12-01). "A Multivocal Literature Review on Prototype Pollution Vulnerability" . 2023 International Conference on Information Technology and Computing (ICITCOM). IEEE: 375–379. doi:10.1109/ICITCOM60176.2023.10442205. ISBN 979-8-3503-5963-3.
↑ Kim, Hee Yeon; Kim, Ji Hoon; Oh, Ho Kyun; Lee, Beom Jin; Mun, Si Woo; Shin, Jeong Hoon; Kim, Kyounggon (2022-02-01). "DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js modules" . International Journal of Information Security. 21 (1): 1–23. doi:10.1007/s10207-020-00537-0. ISSN 1615-5270.

External links

Prototype Pollution Prevention Cheat Sheet - OWASP

This computer security article is a stub. You can help Wikipedia by expanding it.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Li, Song; Kang, Mingqing; Hou, Jianwei; Cao, Yinzhi (2021-08-18). "Detecting Node.js prototype pollution vulnerabilities via object lookup analysis". Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. ESEC/FSE 2021. New York, NY, USA: Association for Computing Machinery. pp. 268–279. doi: 10.1145/3468264.3468542 . ISBN 978-1-4503-8562-6.

[2] Kang, Zifeng; Li, Song; Cao, Yinzhi (2022). "Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites". Proceedings 2022 Network and Distributed System Security Symposium. Reston, VA: Internet Society. doi: 10.14722/ndss.2022.24308 . ISBN 978-1-891562-74-7.

[3] Shcherbakov, Mikhail; Balliu, Musard; Staicu, Cristian-Alexandru (2023). "Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js". SEC '23: Proceedings of the 32nd USENIX Conference on Security Symposium: 5521–5538. arXiv: 2207.11171 . ISBN 978-1-939133-37-3.

[4] Cornelissen, Eric; Shcherbakov, Mikhail; Balliu, Musard (2024). "{GHunter}: Universal Prototype Pollution Gadgets in {JavaScript} Runtimes". USENIX Security: 3693–3710. ISBN 978-1-939133-44-1.

[5] Hakim, Ismail Abdurrahman; Widyawan; Mustika, I Wayan; Prasetyo, Eko (2023-12-01). "A Multivocal Literature Review on Prototype Pollution Vulnerability" . 2023 International Conference on Information Technology and Computing (ICITCOM). IEEE: 375–379. doi:10.1109/ICITCOM60176.2023.10442205. ISBN 979-8-3503-5963-3.

[6] Kim, Hee Yeon; Kim, Ji Hoon; Oh, Ho Kyun; Lee, Beom Jin; Mun, Si Woo; Shin, Jeong Hoon; Kim, Kyounggon (2022-02-01). "DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js modules" . International Journal of Information Security. 21 (1): 1–23. doi:10.1007/s10207-020-00537-0. ISSN 1615-5270.

[1]

[2]

[3]

[4]

[5]

[6]