did we give JS prototype chains a bit too much power somewhere along the way? The same flexibility that makes lodash plugins, deep merge utilities, and dynamic config libraries so convenient is the reason prototype pollution keeps showing up everywhere, it hit Kibana hard enough for RCE back in 2019, took down Blitz.js in 2022, and now here we are again. graphql-upload-minimal lets you control where uploaded files get mapped, send a tiny file whose entire content is just literally 'true' and map it to __proto__.isAdmin via a file upload request, now every object in the Node.js process thinks it's an admin until the server restarts
did we give JS prototype chains a bit too much power somewhere along the way? The same flexibility that makes lodash plugins, deep merge utilities, and dynamic config libraries so convenient is the reason prototype pollution keeps showing up everywhere, it hit Kibana hard enough for RCE back in 2019, took down Blitz.js in 2022, and now here we are again. graphql-upload-minimal lets you control where uploaded files get mapped, send a tiny file whose entire content is just literally 'true' and map it to __proto__.isAdmin via a file upload request, now every object in the Node.js process thinks it's an admin until the server restarts