ljharb
commented
5 months ago As you can see from the linked PR, #428, it's not actually "prototype pollution" in that it doesn't pollute any shared [[Prototype]] objects - but it can pollute the prototype of the resulting parsed object, which can cause bugs in server code.
Hi, i'm looking at CVE-2022-24999 vulnerability, but i'm confused about how Prototype Pollution is caused, i read the source code, i think the [hasOwnProperty] function has filtered 'proto' attribution, and even if i set 'allowPrototype' as true, it will asign an object to 'proto', so it won't cause Prototype Pollution. So, if you can give me some hint, i'll appreciate it very much!