Fixed prototype pollution when using dataType: 'json'

ciscoheat · ciscoheat · commit 4a1310dd1a94 · 2025-10-15T06:34:03.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,7 @@ Headlines: Added, Changed, Deprecated, Removed, Fixed, Security
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [2.27.3] - 2025-10-14
+## [2.27.4] - 2025-10-14
 
 ### Security
 
diff --git a/src/lib/traversal.ts b/src/lib/traversal.ts
@@ -52,6 +52,12 @@ export function traversePath<T extends object>(
 	modifier?: (data: PathData) => undefined | unknown | void
 ): PathData | undefined {
 	if (!realPath.length) return undefined;
+
+	// Prevent prototype injection
+	if (realPath.includes('__proto__') || realPath.includes('prototype')) {
+		throw new Error("Cannot set an object's `__proto__` or `prototype` property");
+	}
+
 	const path = [realPath[0]];
 
 	let parent = obj;
