| Title | Node.js style-dictionary 5.4.3 Prototype Pollution |
|---|
| Description | Prototype pollution in the public `style-dictionary/utils` entrypoint `convertTokenData()`.
When `convertTokenData(tokens, { output: "object" })` converts token arrays into nested objects, it splits `token.key` on `.` and writes each segment into the output object without rejecting dangerous path segments such as `__proto__`, `constructor`, or `prototype`.
As a result, an attacker-controlled token key like `__proto__.pp` can pollute `Object.prototype`.
This is reachable through the documented public API:
```js
mport { convertTokenData } from "style-dictionary/utils";
```
Impact: if untrusted token data is processed, an attacker may be able to trigger application-wide prototype pollution, leading to logic corruption, unsafe property resolution, denial of service, or downstream exploitation depending on how polluted properties are used. |
|---|
| Source | ⚠️ https://github.com/style-dictionary/style-dictionary/issues/1699 |
|---|
| User | Dremig (UID 95003) |
|---|
| Submission | 06/08/2026 07:41 (1 month ago) |
|---|
| Moderation | 07/09/2026 07:08 (1 month later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 373109 [style-dictionary up to 5.4.3 Expand API prototype pollution] |
|---|
| Points | 0 |
|---|