Skip to main content
Run any Skill in Manus
with one click

prototype-pollution

Stars2
Forks1
UpdatedJuly 9, 2026 at 12:42

SAST detection methodology for JavaScript/Node prototype pollution (CWE-1321), including client-side PP feeding DOM XSS gadgets and server-side PP escalating to RCE via child_process and template-engine option gadgets. Covers vulnerable recursive merge/extend/clone/set utilities, __proto__/constructor.prototype keys, and nested-object parsers. Use when reviewing JS that merges, clones, or deep-sets objects from untrusted input. Writes confirmed findings to findings/14-prototype-pollution.md.

Installation

Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.

SKILL.md
readonly