Prototype Pollution in antfu/utils


Reported on

Sep 13th 2021


@antfu/utils is a collection of common JavaScript / TypeScript utils. It is vulnerable to Prototype Pollution on the deepMerge() function. This allows for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.

About the vulnerability

Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as _proto_, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

Proof of Concept

// PoC.js
const utils = require('@antfu/utils');
const obj = {};
const payload =  JSON.parse('{"__proto__":{"polluted":"Polluted!"}}');

console.log("Before: " + obj.polluted);
utils.deepMerge(obj, payload);
console.log("After: " + polluted);
Before: undefined
After: Polluted!


It can be fixed by implementing a simple validation to check for prototype keywords (__proto__, constructor and prototype), where if it exists, the function returns the object without modifying it, thus fixing the Prototype Pollution Vulnerability.


This vulnerability is capable of modification of prototype behavior, which may result in Information Disclosure/DoS/RCE.

We created a GitHub Issue asking the maintainers to create a 2 years ago
We have contacted a member of the antfu/utils team and are waiting to hear back 2 years ago
Anthony Fu validated this vulnerability 4 months ago


Asjid Kalam has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Anthony Fu marked this as fixed in 0.7.3 with commit 7f8b16 4 months ago
Anthony Fu has been awarded the fix bounty
This vulnerability has been assigned a CVE
Anthony Fu published this vulnerability 4 months ago
Anthony Fu gave praise 4 months ago
Thank you for reporting :)
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Vinicius Philot
a month ago

hey @admin platforms such as SonaType are still flagging this package as insecure because one file wasn't updated (index.js) even though all the others have the fix.

Quote: The fix for this vulnerability was released for version 0.7.3 and onwards only on the index.mjs and index.cjs files. However the index.js file remains vulnerable.

@antfu could we please update the module? thank you for all your hard work!

to join this conversation