hello.js icon indicating copy to clipboard operation
hello.js copied to clipboard
verified publisher icon MrSwitch

Prototype Pollution in hello.js (Issue #634)

Open abbadinikhilreddy55 opened this issue 1 month ago • 1 comments

The issue (titled “Prototype Pollution in hello.js” / Issue #634) reports that the function hello.utils.extend — which is part of hello.js — is vulnerable. GitHub

The problem lies in the implementation of extend, which recursively merges object properties. The code doesn’t guard against merging into dangerous keys such as proto. That means an attacker may craft input that modifies an object’s prototype. GitHub +1

Through this vulnerability, malicious users could pollute the prototype chain, resulting in potential cross-site scripting (XSS) or even remote code execution depending on usage context. GitHub +2 clouddefense.ai +2

abbadinikhilreddy55 avatar Nov 26 '25 09:11 abbadinikhilreddy55

Thanks for raising that

MrSwitch avatar Nov 27 '25 19:11 MrSwitch