Security vulnerabilities

  • Status Closed
  • Assigned To
  • Private
Attached to Project: Security vulnerabilities
Opened by mrdott - 17.03.2024
Last edited by mdugue - 19.03.2024

FS#38 - Bug Title: Prototype Pollution Vulnerability Report

Bug Title: Prototype Pollution Vulnerability Report
Weakness: Prototype Pollution
Hello Web Security Team,

I am reporting a security vulnerability on the website The website is affected by prototype pollution due to the usage of an outdated jQuery version.

The website uses jQuery version 1.12.4, which is susceptible to prototype pollution. This vulnerability allows an attacker to inject properties into Object.prototype, affecting all objects across the application. Notably, the "deep" version of jQuery $.extend is impacted.

Steps To Reproduce:
1. To check if the application is vulnerable to prototype pollution attack we can use the below command:

command: $.extend(true, {}, JSON.parse('{"__proto__":{"polluted":"hacked"}}'));

2. Now let's open the application URL: and enter into the developer options Console tab and paste the command and hit enter.
Notice that the result contains an option with polluted: hacked


Prototype pollution introduces a severe risk to the application. An attacker, upon exploiting this vulnerability, can manipulate default values for options passed to functions with an "options" argument—a common pattern in JavaScript applications. The impact escalates based on the application's use of such options, potentially leading to unauthorized modifications and alterations in the application's behavior.

Supporting Material/References: The vulnerability has been verified on jQuery version 1.12.4, and it is likely to affect older versions.
The issue is present when using Chrome latest version.

Update latest version of jquery 3.7.1 is the best remediation as it has no known vulnerabilities at the time of this writing

Closed by  mdugue
19.03.2024 10:17
Reason for closing:  Invalid


this is not a jQuery vulnerability: this is an inherent behavior of the JavaScript language itself. JS is an object-based prototyped language, meaning you can mutate any object prototype (even the Object type itself) on the fly during runtime. There is nothing you can do against it but protect the execution environment. This exactly happens here: injecting content through the console is not a valid security flaw demonstration.

If you consider we’re vulnerable to an attack based on prototyping mutation, please provide a valid PoC where content is injected from an external source (meaning: from an asset located outside of the running domain).

Plus, if you consider prototyping issues as security flaws, you can still file a bug to the ECMA team.



Available keyboard shortcuts


Task Details

Task Editing