# Prototype Pollution via Object Manipulation

- ID: javascript-prototype-pollution
- Severity: HIGH
- CWE: Prototype Pollution (CWE-1321)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs, express, fastify, koa, hapi, nestjs, lambda, serverless

## Description

Detects user input flowing to object merge operations without filtering dangerous keys.

## Detection Message

Untrusted input from {source} can pollute Object prototype via {sink}.
User-controlled property keys (like __proto__) can modify built-in prototypes,
affecting all objects in the application.

## Remediation

Filter dangerous keys (__proto__, constructor, prototype) before merging objects.

```javascript
const BLOCKED = ['__proto__', 'constructor', 'prototype'];
const filtered = Object.fromEntries(
  Object.entries(input).filter(([k]) => !BLOCKED.includes(k))
);
```

Learn more: https://shoulder.dev/learn/javascript/cwe-1321/prototype-pollution

## Documentation

[object Object]

## Related Rules

- **Prototype Pollution Gadget - Unsafe Property Trust** [MEDIUM]: