🎭 “I wasn’t an admin… until I became one with just a JSON object.”

An Express server. An innocent isAdmin field. And a hacker who hijacks it through a simple __proto__. Welcome to the world of Prototype Pollution.

🎬 The Setup

It all starts with a small, seemingly harmless Node.js application. Users can update their profiles via a POST request to /update-profile.

Under pressure, the developer uses a popular module to merge objects: deep-extend. A classic choice.

But by using an outdated, vulnerable version, they unknowingly opened a dangerous backdoor.

🧨 The Vulnerability: Prototype Pollution

Here’s the issue: some JavaScript libraries allow you to inject properties into the global object prototype, impacting every object in the application.

To successfully exploit prototype pollution, an attacker typically needs three things:

1. A pollution source — Input that lets them inject arbitrary properties into prototypes (e.g., __proto__, constructor, prototype).
2. A sink — A function or behavior in the app that uses those polluted properties (like eval, DOM manipulation, or access checks).
3. An exploitable gadget — A…