Summary
@antv/layout exports setNestedValue from the root package entry. This helper accepts a dot-separated path and writes the value into the target object.
In lib/util/object.js, the external path value is split by . and then passed into @antv/util / lodash set without filtering dangerous prototype keys such as __proto__ or constructor.prototype.
As a result, attacker-controlled paths can pollute Object.prototype.
Proof of Concept
// shown until this vulnerability has been solved
Actual Result
Expected Result
The assignment should not modify Object.prototype. The output should be:
Root Cause
setNestedValue allows user-controlled path segments to reach a deep-set operation without validation.
Dangerous paths such as:
__proto__.polluted
constructor.prototype.polluted
can write properties onto shared prototypes instead of only the provided target object.
Impact
If downstream applications pass user-controlled input into setNestedValue, this can lead to prototype pollution. Depending on how the polluted property is later used, this may cause unexpected behavior, logic bypasses, denial of service, or other application-level security issues.
Suggested Fix
Reject or safely handle dangerous path segments before calling the deep-set helper.
At minimum, block path components such as:
__proto__
prototype
constructor
especially paths that can resolve to constructor.prototype.
For example, setNestedValue should refuse to process paths containing prototype-pollution primitives, or use a safe setter implementation that does not mutate object prototypes.
Affected Version
Confirmed on:
Summary
@antv/layoutexportssetNestedValuefrom the root package entry. This helper accepts a dot-separated path and writes the value into the target object.In
lib/util/object.js, the externalpathvalue is split by.and then passed into@antv/util/ lodashsetwithout filtering dangerous prototype keys such as__proto__orconstructor.prototype.As a result, attacker-controlled paths can pollute
Object.prototype.Proof of Concept
// shown until this vulnerability has been solvedActual Result
Expected Result
The assignment should not modify
Object.prototype. The output should be:Root Cause
setNestedValueallows user-controlled path segments to reach a deep-set operation without validation.Dangerous paths such as:
can write properties onto shared prototypes instead of only the provided target object.
Impact
If downstream applications pass user-controlled input into
setNestedValue, this can lead to prototype pollution. Depending on how the polluted property is later used, this may cause unexpected behavior, logic bypasses, denial of service, or other application-level security issues.Suggested Fix
Reject or safely handle dangerous path segments before calling the deep-set helper.
At minimum, block path components such as:
especially paths that can resolve to
constructor.prototype.For example,
setNestedValueshould refuse to process paths containing prototype-pollution primitives, or use a safe setter implementation that does not mutate object prototypes.Affected Version
Confirmed on: