Submit #856979: Node.js Inputmask 5.0.9 Prototype Pollutioninfo

TitleNode.js Inputmask 5.0.9 Prototype Pollution
Description`inputmask` exposes `extendDefaults()`, `extendDefinitions()`, and `extendAliases()` as public APIs. These methods call the internal deep merge helper with attacker-controlled keys. Passing an object containing `__proto__` to `extendDefaults()` can pollute `Object.prototype`. `extendDefaults()` forwards user-controlled data to the internal deep merge helper: ```js Inputmask.extendDefaults = function (options) { $.extend(true, Inputmask.prototype.defaults, options); }; ``` The merge helper in `lib/dependencyLibs/extend.js` iterates over source keys and writes them directly to the target: ```js for (name in options) { src = target[name]; copy = options[name]; if ( deep && copy && (Object.prototype.toString.call(copy) === "[object Object]" || (copyIsArray = Array.isArray(copy))) ) { clone = src && Object.prototype.toString.call(src) === "[object Object]" ? src : {}; target[name] = extend(deep, clone, copy); } else if (copy !== undefined) { target[name] = copy; } } ``` When `name` is `__proto__`, `target[name]` resolves through the prototype accessor instead of being treated as a normal own property. During deep merge, the nested object is then merged into the prototype object, which allows assignments such as: ```js Object.prototype.polluted = "yes"; ``` The same merge helper is also used by `extendDefinitions()`, `extendAliases()`, and multiple option-merging paths, so the fix should be applied in the shared merge logic rather than only in `extendDefaults()`.
Source⚠️ https://github.com/RobinHerbots/Inputmask/issues/2885
User
 wjm1 (UID 98929)
Submission06/12/2026 14:09 (1 month ago)
Moderation07/17/2026 21:01 (1 month later)
StatusAccepted
VulDB entry379909 [RobinHerbots Inputmask up to 5.0.9 Internal Deep Merge Helper extend.js extendDefaults/extendDefinitions/extendAliases prototype pollution]
Points20

Might our Artificial Intelligence support you?

Check our Alexa App!