Prototype Pollution in hello.js (Issue #634)

The issue (titled “Prototype Pollution in hello.js” / Issue #634) reports that the function hello.utils.extend — which is part of hello.js — is vulnerable. 
[GitHub](https://github.com/MrSwitch/hello.js/issues/634?utm_source=chatgpt.com)

The problem lies in the implementation of extend, which recursively merges object properties. The code doesn’t guard against merging into dangerous keys such as __proto__. That means an attacker may craft input that modifies an object’s prototype. 
GitHub
+1

Through this vulnerability, malicious users could pollute the prototype chain, resulting in potential cross-site scripting (XSS) or even remote code execution depending on usage context. 
GitHub
+2
clouddefense.ai
+2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Prototype Pollution in hello.js (Issue #634) #702

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Prototype Pollution in hello.js (Issue #634) #702

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions