Fixed prototype pollution when using dataType: 'json'

Author: ciscoheat

CHANGELOG.md

@@ -5,6 +5,12 @@ Headlines: Added, Changed, Deprecated, Removed, Fixed, Security
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.27.3] - 2025-10-14
+
+### Security
+
+- Fixed prototype pollution when using `dataType: 'json'`.
+
 ## [2.27.2] - 2025-10-03
 
 ### Security

src/lib/traversal.ts

@@ -10,6 +10,11 @@ export type PathData = {
 };
 
 function setPath<T extends object>(parent: T, key: keyof T, value: any) {
+	// Prevent prototype injection
+	if (key === '__proto__' || key === 'prototype') {
+		throw new Error("Cannot set an object's `__proto__` or `prototype` property");
+	}
+
 	parent[key] = value;
 	return 'skip' as const;
 }
@@ -190,6 +195,12 @@ export function setPaths(
 			}
 			return parent[key];
 		});
-		if (leaf) leaf.parent[leaf.key] = isFunction ? value(path, leaf) : value;
+		if (leaf) {
+			// Prevent prototype injection
+			if (leaf.key === '__proto__' || leaf.key === 'prototype') {
+				throw new Error("Cannot set an object's `__proto__` or `prototype` property");
+			}
+			leaf.parent[leaf.key] = isFunction ? value(path, leaf) : value;
+		}
 	}
 }