Deep Merge Pollution

Easy+50 XPA08:2021 Software and Data Integrity FailuresCWE-1321

Prototype PollutionDeep Merge

Scenario

Your application uses a recursive deep-merge utility to combine configuration objects from multiple sources.

An attacker discovers they can supply a JSON body containing a `__proto__` key, which your merge function blindly copies into the target object — polluting Object.prototype for every subsequent object in the process.

Prototype pollution lets attackers silently inject properties onto every object in the application, enabling privilege escalation, authentication bypass, and remote code execution — all without touching your database.

Your Tasks

Identify the keys that must never be merged: `__proto__`, `constructor`, and `prototype`.
Add a guard at the top of the recursive branch that throws `'Prototype pollution detected'` when a forbidden key is encountered.
Ensure normal deep merges still work correctly and return the merged object.

Examples

Example 1 — Exploit — proto injection

deepMerge({b: 2}, {"__proto__": {"isAdmin": true}})
// throws: 'Prototype pollution detected'

Example 2 — Safe — normal merge

deepMerge({b: 2}, {a: 1})
// returns: {a: 1, b: 2}

Constraints

›Throw exactly `'Prototype pollution detected'` (no period) when a forbidden key is found.
›The check must be recursive — a forbidden key nested inside a sub-object must also be caught.
›All other keys must be merged normally.

Hint

References

https://owasp.org/www-project-top-ten/2021/A08_2021-Software_and_Data_Integrity_Failures https://cwe.mitre.org/data/definitions/1321.html https://learn.snyk.io/lesson/prototype-pollution/

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run