Client-Side Prototype Pollution

high Web Application Scanning Plugin ID 112719



Client-Side Prototype Pollution


Prototype-based programming languages rely on the process of defining objects used as prototypes to be then extended or cloned in order to create new objects. Once instantiated, these objects will inherit from the properties and methods of their prototype.

JavaScript is one of the most common prototype-based language in modern web applications, on both server-side and client-side components. Nearly all the JavaScript objects are instances of Object, making them inherit from the properties and methods of the Object prototype.

A client-side prototype pollution vulnerability exists when an attacker is able to modify the properties of the Object prototype in the context of the web browser, exposing the application users to further issues like Cross-Site Scripting or Denial of Service attacks.


The inputs should be properly sanitized to prevent the Object prototype from being modified when trying to leverage on the properties like prototype or constructor during some operations (like merging or cloning objects). JavaScript objects can also be explicitly instantiated without a prototype by using the Object.create(null) constructor. Finally, prefer using a Map object as a key and value storage as it will not contain the Objects prototype keys, thus preventing the pollution to occur.

See Also

Plugin Details

Severity: High

ID: 112719

Type: remote

Published: 5/6/2021

Updated: 2/21/2022

Scan Template: pci, scan

Risk Information


Risk Factor: Medium

Score: 5.9


Risk Factor: Medium

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-20083


Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2021-20083

Reference Information

CVE: CVE-2021-20083, CVE-2021-20084, CVE-2021-20089, CVE-2021-20085, CVE-2021-20087, CVE-2021-20088, CVE-2021-20086