Summary
ObjectUtils.mutateFieldData exposed from primereact/utils appears to allow prototype pollution when the field argument contains prototype-related path segments such as __proto__.
Affected package
- Package:
primereact
- Version tested:
10.9.8
- Entry point:
primereact/utils
- API:
ObjectUtils.mutateFieldData(data, field, value)
Reproduction
// Maybe sent in a more private way
Expected behavior
mutateFieldData should reject or safely handle dangerous path segments such as __proto__, constructor, and prototype.
Actual behavior
The function splits the caller-controlled field by . and walks the object path before assigning the final value. With __proto__.polluted, traversal reaches Object.prototype and assigns the attacker-controlled value there.
After the call, newly created objects inherit the polluted property.
Impact
If an application passes attacker-controlled field names into ObjectUtils.mutateFieldData, an attacker may pollute Object.prototype. Depending on application behavior, this can affect downstream authorization, configuration, feature-flag, or control-flow checks that read inherited properties.
Suggested fix
Reject dangerous path segments before traversal or assignment:
__proto__constructorprototype
This validation should happen at every nesting level before reading, recursing into, or assigning a property. It would also be safer to use own-property-only traversal semantics for nested writes.
Summary
ObjectUtils.mutateFieldDataexposed fromprimereact/utilsappears to allow prototype pollution when thefieldargument contains prototype-related path segments such as__proto__.Affected package
primereact10.9.8primereact/utilsObjectUtils.mutateFieldData(data, field, value)Reproduction
// Maybe sent in a more private wayExpected behavior
mutateFieldDatashould reject or safely handle dangerous path segments such as__proto__,constructor, andprototype.Actual behavior
The function splits the caller-controlled
fieldby.and walks the object path before assigning the final value. With__proto__.polluted, traversal reachesObject.prototypeand assigns the attacker-controlled value there.After the call, newly created objects inherit the polluted property.
Impact
If an application passes attacker-controlled field names into
ObjectUtils.mutateFieldData, an attacker may polluteObject.prototype. Depending on application behavior, this can affect downstream authorization, configuration, feature-flag, or control-flow checks that read inherited properties.Suggested fix
Reject dangerous path segments before traversal or assignment:
__proto__constructorprototypeThis validation should happen at every nesting level before reading, recursing into, or assigning a property. It would also be safer to use own-property-only traversal semantics for nested writes.