Security

    Prototype pollution in JavaScript mobile apps

    A 2026 view of prototype pollution where untrusted JSON with a __proto__ key is merged unsafely and taints Object.prototype, contrasted with stripping dangerous keys and using a Map

    Prototype pollution is a JavaScript-specific vulnerability that follows JavaScript wherever it runs, including React Native and other JS-based mobile apps and their Node backends. It exploits the way JavaScript objects inherit from prototypes: if an attacker can get their input merged into an object using special keys like __proto__, they can inject properties into the base object prototype, which then affects every object in the program. The results range from corrupting application logic and denial of service to, with the right conditions, code execution. It usually comes from one careless operation, an unsafe merge of untrusted data. Here is what prototype pollution is, how it happens, and how to prevent it.

    Short answer

    Prototype pollution is a vulnerability where an attacker injects properties into JavaScript's object prototype, typically Object.prototype, by getting attacker-controlled keys like __proto__, constructor, or prototype merged or assigned into an object, which then affects all objects in the program. Per CWE-1321, the impact ranges from corrupting application behavior and denial of service to, depending on gadgets present, code execution. It affects JavaScript-based mobile apps, such as React Native, and their JavaScript backends, usually through unsafe recursive merges or property assignments of untrusted input. The fix is to avoid merging untrusted data unsafely: reject or strip dangerous keys, use prototype-less objects or Maps for untrusted-keyed data, validate input structure, and keep dependencies updated.

    What you should know

    • Prototype pollution injects into the object prototype: affecting all objects.
    • It uses keys like __proto__ and constructor: in attacker-controlled input.
    • The cause is usually an unsafe merge: of untrusted data into an object.
    • Impact ranges from logic corruption to code execution: depending on context.
    • It affects JS apps and their backends: React Native and Node.

    What is prototype pollution?

    It is polluting JavaScript's shared prototype through untrusted input. In JavaScript, objects inherit properties from a prototype, and ordinary objects ultimately inherit from Object.prototype, so a property added there is visible on essentially every object. Prototype pollution happens when an attacker can influence the keys used in an operation that writes to an object, and includes a special key, most commonly __proto__, but also paths through constructor and prototype, so that the write lands on the prototype rather than the intended object. Once the prototype is polluted with an attacker-chosen property, every object that does not override it now appears to have that property, which can change how the program behaves anywhere it reads such properties. The vulnerability is not in the prototype mechanism itself but in code that takes untrusted input and merges or assigns it into objects without guarding against these special keys, so a single unsafe operation can taint the global object behavior.

    How does it happen, and what is the impact?

    Through unsafe property writes, with impact that escalates by context. The table outlines it.

    StepWhat happens
    Untrusted input with __proto__Attacker-controlled data includes a dangerous key
    Unsafe merge or assignmentA recursive merge or deep set writes it without guarding
    Prototype pollutedA property is added to Object.prototype
    Behavior changes everywhereAll objects appear to have the injected property
    EscalationLogic bypass, denial of service, or code execution via gadgets

    The classic trigger is a recursive merge or deep-set function, the kind that copies a source object's nested properties into a target, applied to untrusted JSON without sanitizing keys, so an attacker who controls the JSON includes a __proto__ entry that the merge follows onto the prototype. Once polluted, the impact depends on how the application uses object properties: an injected property can corrupt logic, bypass a check that reads a property, or cause crashes and denial of service when unexpected properties appear everywhere. In some setups, prototype pollution chains with existing code, the gadgets, that uses object properties in sensitive ways, escalating to code execution. So the severity ranges widely, but it always starts from the same place: untrusted input reaching an unsafe object-writing operation.

    How do you prevent it?

    Guard object writes against dangerous keys, and avoid unsafe merges of untrusted data. The core defense is to never merge or deep-assign untrusted input into objects without protection: reject or strip the dangerous keys __proto__, constructor, and prototype from untrusted data before processing, and use merge, clone, and set utilities that are known to guard against prototype pollution rather than naive recursive ones. For data with untrusted keys, prefer a Map, or objects created without a prototype, so there is no Object.prototype to pollute through them. Validate the structure of incoming data against what you expect, rather than blindly merging arbitrary shapes, which both prevents pollution and is good input hygiene generally. Keep your dependencies updated, since prototype pollution has been found and fixed in many popular libraries, and a vulnerable dependency can introduce the flaw even if your own code is careful. Where appropriate, freezing Object.prototype can harden the runtime against pollution. This applies on both the app side, React Native or other JS, and your Node backend, since both run JavaScript and process untrusted input. The principle is the familiar one: treat untrusted input as untrusted, and in JavaScript that specifically means not letting it write to object prototypes through unsafe merges or dangerous keys.

    What to watch out for

    The first trap is a naive recursive merge or deep-set of untrusted JSON, the textbook prototype-pollution sink; strip dangerous keys and use safe utilities. The second is a vulnerable dependency introducing the flaw even when your code is careful; keep dependencies updated. The third is using plain objects as maps for untrusted keys, when a Map or prototype-less object avoids the prototype entirely. Prototype pollution is a code-level JavaScript flaw, so a pre-submission scan such as PTKD.com (https://ptkd.com), which reads the binary against OWASP MASVS, assesses input handling broadly and can surface dependency and configuration concerns, while the specific guarding of object writes is something you implement and review in your JavaScript.

    What to take away

    • Prototype pollution injects properties into JavaScript's object prototype through untrusted input using keys like __proto__, affecting all objects, with impact from logic corruption and denial of service to code execution.
    • It usually comes from an unsafe recursive merge or deep assignment of untrusted data, and affects JS-based mobile apps like React Native and their Node backends.
    • Prevent it by rejecting or stripping dangerous keys, using safe merge utilities and Map or prototype-less objects for untrusted keys, validating input structure, and keeping dependencies updated.
    • Use a pre-submission scan such as PTKD.com to assess input handling and dependency concerns, and guard object writes against prototype pollution in your code.
    • #prototype-pollution
    • #javascript
    • #react-native
    • #cwe-1321
    • #input-validation
    • #owasp
    • #mobile

    Frequently asked questions

    What is prototype pollution?
    It is polluting JavaScript's shared prototype through untrusted input. JavaScript objects inherit from a prototype, and ordinary objects ultimately inherit from Object.prototype, so a property added there is visible on essentially every object. Prototype pollution happens when an attacker influences the keys in an operation that writes to an object and includes a special key like __proto__, so the write lands on the prototype rather than the intended object. Once polluted, every object that does not override the injected property appears to have it, which can change program behavior anywhere those properties are read.
    How does prototype pollution happen?
    Usually through an unsafe recursive merge or deep-set function applied to untrusted JSON without sanitizing keys. Such a function copies a source object's nested properties into a target, so an attacker who controls the JSON includes a __proto__ entry that the merge follows onto the prototype. Property assignments built from untrusted key paths can do the same. The flaw is not in the prototype mechanism but in code that merges or assigns untrusted input into objects without guarding against the dangerous keys __proto__, constructor, and prototype, so one unsafe operation taints global object behavior.
    How bad is prototype pollution?
    It varies by context but can be severe. Once the prototype is polluted, the impact depends on how the application uses object properties: an injected property can corrupt logic, bypass a check that reads a property, or cause crashes and denial of service when unexpected properties appear on every object. In some setups it chains with existing code that uses object properties in sensitive ways, the gadgets, escalating to code execution. So it ranges from a logic or availability problem to remote code execution, which is why it should be treated as a real vulnerability rather than a quirk.
    How do I prevent prototype pollution?
    Never merge or deep-assign untrusted input into objects without protection. Reject or strip the dangerous keys __proto__, constructor, and prototype from untrusted data, and use merge, clone, and set utilities known to guard against pollution rather than naive recursive ones. For data with untrusted keys, prefer a Map or objects created without a prototype, so there is no Object.prototype to pollute through them. Validate incoming data structure rather than blindly merging arbitrary shapes, keep dependencies updated since the flaw has appeared in many libraries, and consider freezing Object.prototype to harden the runtime.
    Does prototype pollution affect React Native apps?
    Yes. Prototype pollution follows JavaScript wherever it runs, so React Native and other JS-based mobile apps are affected, as are their Node backends, whenever they process untrusted input through unsafe merges or assignments. A vulnerable dependency can introduce the flaw even if your own code is careful, which is why keeping dependencies updated matters. The same defenses apply on both the app and backend: strip dangerous keys, use safe utilities and Map or prototype-less objects, and validate input structure. A pre-submission scan such as PTKD.com assesses input handling and dependency concerns.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free