Prototype Pollution in clone v1.0.2 #130
Description
hi, we are a security team. We found a Prototype Pollution vulnerability in your project.
1. Vulnerability Type
Prototype Pollution (Medium)
2. Vulnerability Cause
The _clone() function in the clone module uses for...in to iterate all enumerable properties (including the own property __proto__) and recursively clones properties without filtering dangerous keys. Although JSON.parse() safely stores __proto__ as a normal property, the assignment in clone() is interpreted by the JavaScript engine as modifying the object’s prototype, thus polluting Object.prototype.
3. Vulnerable Code Location
_clone() function: clone/clone.js
4. Proof of Concept (PoC)
// Parse untrusted input
const userInput = JSON.parse('{"__proto__": {"polluted": true}}');
// Deep clone using the vulnerable module
const cloned = clone(userInput);
// Prototype chain is polluted globally
console.log(Object.prototype.polluted); // true