Prototype Pollution
April 2, 2026 · View on GitHub
| Code | Severity | i18n | Experimental |
|---|---|---|---|
| prototype-pollution | Warning | sast_warnings.prototype_pollution | ❌ |
Introduction
Prototype pollution is an attack technique in which an adversary manipulates an object's __proto__ property to inject or override inherited properties on all objects of that type. Because JavaScript objects share a prototype chain, a successful pollution can affect any code that reads from those inherited properties — enabling unexpected behavior, authentication bypasses, or even remote code execution in some server-side scenarios.
JS-X-Ray raises a prototype-pollution warning when it detects:
- Direct
__proto__property access — e.g.obj.__proto__.foo = "bar" - Computed
__proto__property access — e.g.obj["__proto__"].foo = "bar" - The
"__proto__"string literal — e.g.const key = "__proto__", which may later be used as a dynamic key
Examples
// Direct property access — pollutes every object's prototype
const obj = {};
obj.__proto__.polluted = true;
console.log({}.polluted); // true
// Computed property access — equivalent attack, just harder to spot
const payload = {};
payload["__proto__"].isAdmin = true;
// String literal — the key will be tracked as a potential pollution vector
const key = "__proto__";
const target = {};
target[key] = { isAdmin: true };