fix(query): use Object.create(null) to prevent prototype pollution

[wdskuki]

Summary

This PR fixes a security vulnerability where query objects created with {} are susceptible to prototype pollution via __proto__ and constructor keys.

Changes

• parseQuery(): Use Object.create(null) instead of {}
• normalizeQuery(): Use Object.create(null) instead of {}
• parseURL(): Use Object.create(null) for initial query object

Security Impact

Before this fix, an attacker could craft a URL like:

• /?__proto__=evil&foo=bar - pollutes the query object's prototype
• /?constructor=test - leaks internal Object constructor

After this fix, these keys are treated as plain data without affecting the prototype chain.

Fixes

Fixes #2658

Summary by CodeRabbit

• Bug Fixes
  • Enhanced query parameter handling in the router to prevent inheritance of unintended properties.

[netlify]

✅ Deploy Preview for vue-router canceled.

Name	Link
🔨 Latest commit	3020739
🔍 Latest deploy log	https://app.netlify.com/projects/vue-router/deploys/69b79d979f3b2f00088a9dcd

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 67567763-5a1c-46de-8506-989942b0534f

📥 Commits

Reviewing files that changed from the base of the PR and between 47f0334 and 3020739.

📒 Files selected for processing (2)

• packages/router/src/location.ts
• packages/router/src/query.ts

---

📝 Walkthrough

Walkthrough

This change addresses a prototype pollution vulnerability in Vue Router's query parsing functions by replacing plain object initialization ({}) with null-prototype objects (Object.create(null)). This prevents special keys like __proto__ and constructor from corrupting the prototype chain during query parameter parsing.

Changes

Cohort / File(s)	Summary
Query Parsing Security Hardening packages/router/src/location.ts, packages/router/src/query.ts	Changed query object initialization from plain objects {} to null-prototype objects Object.create(null) in parseURL, parseQuery, and normalizeQuery functions to prevent prototype pollution via special keys like __proto__ and constructor.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A rabbit with code so pristine,
Sealed null prototypes, pristine and clean!
No __proto__ tricks shall slip through,
Our query objects—corruption-proof and true! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main security fix across all modified files: replacing plain object initialization with Object.create(null) to prevent prototype pollution.
Linked Issues check	✅ Passed	The PR implements all requirements from issue #2658: Object.create(null) is used in parseQuery, normalizeQuery, and parseURL to prevent prototype pollution vulnerabilities.
Out of Scope Changes check	✅ Passed	All changes in the PR are directly scoped to the security fix for prototype pollution in query parsing; no extraneous modifications are present.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can disable sequence diagrams in the walkthrough.

Disable the reviews.sequence_diagrams setting to disable sequence diagrams in the walkthrough.