1function deepMerge(target, source) {
2 for (const key of Object.keys(source)) {
3 if (typeof source[key] === 'object' && source[key] !== null) {
4 if (!target[key]) target[key] = {};
5 deepMerge(target[key], source[key]);
6 } else {
7 target[key] = source[key];
8 }
9 }
10 return target;
11}
12// deepMerge({}, JSON.parse('{"__proto__":{"admin":true}}'))
13// Now ({}).admin === true for ALL objects
no lines flagged
#036PracticeHard30 min · 200 XP
Prototype Pollution via Recursive Merge
A deep merge utility allows an attacker to inject properties into Object.prototype, affecting all objects in the application.
Flagged linesNo lines flagged yet
What's wrong?
Flag a line or write a note to submit.