Submit #851349: Node.js style-dictionary 5.4.3 Prototype Pollutioninfo

TitleNode.js style-dictionary 5.4.3 Prototype Pollution
DescriptionPrototype pollution in the public `style-dictionary/utils` entrypoint `convertTokenData()`. When `convertTokenData(tokens, { output: "object" })` converts token arrays into nested objects, it splits `token.key` on `.` and writes each segment into the output object without rejecting dangerous path segments such as `__proto__`, `constructor`, or `prototype`. As a result, an attacker-controlled token key like `__proto__.pp` can pollute `Object.prototype`. This is reachable through the documented public API: ```js mport { convertTokenData } from "style-dictionary/utils"; ``` Impact: if untrusted token data is processed, an attacker may be able to trigger application-wide prototype pollution, leading to logic corruption, unsafe property resolution, denial of service, or downstream exploitation depending on how polluted properties are used.
Source⚠️ https://github.com/style-dictionary/style-dictionary/issues/1699
User
 Dremig (UID 95003)
Submission06/08/2026 07:41 (1 month ago)
Moderation07/09/2026 07:08 (1 month later)
StatusDuplicate
VulDB entry373109 [style-dictionary up to 5.4.3 Expand API prototype pollution]
Points0

Might our Artificial Intelligence support you?

Check our Alexa App!