GHSA-x7j8-49r8-mr43High

@nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty

Published
May 21, 2026
Last Modified
May 21, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

The _copyProps function in lib/src/object/copy.ts uses for...in to iterate over source object properties without an Object.hasOwnProperty check, and does not filter dangerous keys (proto, constructor, prototype). This allows an attacker to pollute the prototype chain of all objects in the application.

Details

In _copyProps() (copy.ts lines 186-191), the code iterates all enumerable properties including inherited ones and dangerous keys like proto. Any object with a proto key (e.g., from untrusted JSON input) will overwrite the target's prototype.

PoC

const malicious = JSON.parse('{"__proto__": {"polluted": true}}');
objDeepCopy(malicious);
console.log({}.polluted); // true

Suggested Fix

Add objHasOwnProperty check and filter proto, constructor, prototype keys.

🎯 Affected products1

  • npm/@nevware21/ts-utils:<= 0.13.0

🔗 References (2)