What is Prototype Pollution?

Prototype Pollution, as the name suggests, is about polluting the prototype of a base object which can sometimes lead to arbitrary code execution. According to Olivier Arteau’s reseach and his talk on NorthSec 2018, prototype pollution happens at some unsafe merge, clone, extend and path assignment operations on malicious JSON objects. Recently, a high severity prototype pollution security vulnerability (CVE-2019–10744) was discovered in lodash (versions less than 4.17.12). You can read more details from a Synk Security Research Team’s blog, which describes the lodash security vulnerability and fixes.