Prototype Pollution in json-validator
Summary
json-validator (<= 0.0.34) is vulnerable to Prototype Pollution via the validate function.
Description
The validate() function recursively traverses schema/data objects without filtering __proto__ keys. When validating untrusted JSON data against a schema, an attacker can inject __proto__ properties that pollute Object.prototype. This is particularly dangerous because validation functions are expected to be safe to call with untrusted input.
Proof of Concept
const jsonValidator = require("json-validator");
console.log("Before:", ({}).polluted); // undefined
const malicious = JSON.parse('{"__proto__":{"polluted":"yes"}}');
jsonValidator.validate({}, malicious);
console.log("After:", ({}).polluted); // "yes"
const fresh = {};
console.log("fresh.polluted:", fresh.polluted); // "yes" Why this is a real vulnerability
Object.prototype is globally modified — after the PoC runs, ({}).polluted === "yes" on every newly created object in the entire Node.js process- The pollution is silent — no error is thrown, no warning is logged. The caller has no indication that the global prototype was modified
- Any downstream code is affected — authentication checks (
if (user.isAdmin)), serialization, template rendering, database queries — all inherit the polluted properties
- This is a well-documented vulnerability class with numerous CVEs assigned for the same pattern: CVE-2020-8203 (lodash), CVE-2021-25945 (js-extend)
Impact
- Remote Code Execution (RCE) —
child_process.spawn inherits shell: true from polluted prototype
- Denial of Service (DoS) — overriding
toString/valueOf crashes string coercion
- Authentication Bypass — polluting
isAdmin/role/authorized properties
- Property Injection — all objects inherit polluted properties
Remediation
Filter dangerous keys during recursive object traversal:
const UNSAFE_KEYS = new Set(["__proto__", "constructor", "prototype"]);
// Add this check in the recursive merge loop:
if (UNSAFE_KEYS.has(key)) continue;
References
Prototype Pollution in
json-validatorSummary
json-validator(<= 0.0.34) is vulnerable to Prototype Pollution via thevalidatefunction.Description
The
validate()function recursively traverses schema/data objects without filtering__proto__keys. When validating untrusted JSON data against a schema, an attacker can inject__proto__properties that polluteObject.prototype. This is particularly dangerous because validation functions are expected to be safe to call with untrusted input.Proof of Concept
Why this is a real vulnerability
Object.prototypeis globally modified — after the PoC runs,({}).polluted === "yes"on every newly created object in the entire Node.js processif (user.isAdmin)), serialization, template rendering, database queries — all inherit the polluted propertiesImpact
child_process.spawninheritsshell: truefrom polluted prototypetoString/valueOfcrashes string coercionisAdmin/role/authorizedpropertiesRemediation
Filter dangerous keys during recursive object traversal:
References