Prototype Pollution in robinvdvleuten/shvl


Reported on

May 30th 2021

✍️ Description

Hi, I've seen a recent prototype pollution report to this library and, during the code review, found out that the applied fix doesn't work at all. The problem relies in the regex used to fix, as I shown bellow.

🕵️‍♂️ Proof of Concept

The reported prototype pollution resulted in the addition of the following regex to the source code:


Which prevents anyone to use the exactly words __proto__, constructor or prototype as the entire path. But, since when someone is trying to pollute some attribute they need to define the attribute to be polluted, such as __proto__.polluted the presence of $ in the regex leads this fix to fail and keep shvl still vulnerable to prototype pollution. So, the payload from the las report still works as reported, this is my poc:

<!DOCTYPE html>
<html lang="en">


    <script src=""></script>
          quote = {}
          o = {}
          shvl.set(quote, "__proto__.polluted", "oi");
          if (o.polluted)
            console.log("is polluted!")
            console.log("is safe!")

💥 Impact

The impact of this vulnerability is that this library and everyone that use it remains vulnerable to prototype pollution as demonstrated in the last pwn2win 2021 challenge small-talk


Matheus Vrech
2 years ago


I've already proposed a solution btw

Matheus Vrech
a year ago


They merged my fix, the vulnerability no longer exists

Matheus Vrech
a year ago



Pavlos validated this vulnerability a year ago
Matheus Vrech has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Pavlos marked this as fixed in 3.0.0 with commit 85b59f a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
index.js#L8 has been validated
Pavlos published this vulnerability a year ago
a year ago


Good job @vrechson!

to join this conversation