菜单
Hunt JavaScript prototype pollution (CWE-1321) — the 2023-2026 meta-vulnerability that chains into RCE, auth bypass, and SSRF on most Node.js stacks.
Drive Decepticon — an autonomous multi-agent red-team framework — over MCP to run authorized penetration tests and bug-bounty engagements end to end, then watch and steer them live from chat. Launch an engagement against a target, poll its transcript to narrate progress, send messages to refocus it, and pull findings as SARIF. Use when the user asks to run a pentest/red-team engagement, hunt a bug bounty, do recon, exploit/scan a host, web app, API, network, cloud, Active Directory, mobile app, or smart contract WITH Decepticon — or to check/resume a running engagement or report what Decepticon found. Triggers: run a decepticon engagement, pentest this with decepticon, bug bounty, recon this target, red team this, scan this host, resume the engagement, what did decepticon find, decepticon status. Do NOT use for ad-hoc local tool runs (running nmap/sqlmap/ffuf directly) when no Decepticon server is involved — this drives the Decepticon orchestrator, not raw tools.
IoT device security reconnaissance — firmware extraction, embedded analysis, protocol identification, default credential checking, vulnerability scanning, device fingerprinting.
Mobile application security reconnaissance — APK/IPA analysis, permission enumeration, certificate validation, hardcoded secret detection, insecure storage identification, network security analysis.
Wireless network security reconnaissance — WiFi analysis, Bluetooth assessment, RFID/NFC evaluation, signal capture, protocol analysis, encryption testing, rogue device detection.
Operational-tier finding template — minimal fields for sub-agent decision support. Heavyweight deliverable promotion lives in skills/decepticon/final-report.
Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.
| name | prototype-pollution |
| description | Hunt JavaScript prototype pollution (CWE-1321) — the 2023-2026 meta-vulnerability that chains into RCE, auth bypass, and SSRF on most Node.js stacks. |
| metadata | {"subdomain":"web-exploitation","when_to_use":"javascript prototype pollution cwe-1321 node js __proto__ constructor chain rce auth bypass ssrf gadget"} |
Prototype pollution is the JavaScript equivalent of a universal gadget:
plant a property on Object.prototype and it appears on every object in
the runtime. Worthless in isolation, deadly in chain (__proto__.isAdmin = true → auth bypass; __proto__.shell = "/bin/bash" → RCE via spawn).
Keep a running list per engagement. These continue to ship sinks in 2026:
lodash.merge, deepmerge (pre-fix), merge-deep, deepExtend, hoek.merge, mixmelodash.defaultsDeep, lodash.zipObjectDeep, set-value (pre-3.0.3)qs, express-fileupload, jquery.extend(true, ...)node-config recursive merge, dotenv-extended, rc# Every JS/TS project: sweep known-bad versions
jq '.dependencies,.devDependencies | to_entries[] | select(.key | test("merge|lodash|set-value|dot-object|dot-prop|node-pg"))' /workspace/src/package.json
npm ls lodash set-value dot-prop 2>/dev/null | grep -E '[0-9]'
Any user input deserialized into a nested object:
body-parser, express.json)qs with default config parses a[b][__proto__][c]=1)Poisoning Object.prototype doesn't do anything by itself — you need
a gadget that reads a property that didn't exist before.
Classic gadgets:
child_process.spawn(cmd, args, opts) — opts has a shell option.
Poison __proto__.shell = "/bin/bash" then any subsequent spawn call
executes through bash and interprets args as shell strings.options.someFlag with
if (opts.someFlag). Poisoning that flag flips security defaults.helpers and partials from
the context object; pollution adds helpers that execute code.lodash.template — if the template source is built from _.template(tpl, ctx) you can inject via polluted escape/evaluate keys.mongoose — polluting Schema.Types causes subsequent schema
definitions to use attacker-controlled types.# Classic lodash.merge RCE via child_process.spawn
curl -X POST https://target.com/api/settings \
-H 'Content-Type: application/json' \
-d '{"__proto__": {"shell": "/bin/bash", "env": {"PATH": "/tmp:/usr/bin"}}}'
# Second request triggers the gadget
curl https://target.com/api/render-pdf
# → any subsequent child_process.spawn call now runs through /bin/bash
validate_findingObject.prototype__proto__.isAdminNegative control: same payload with proto (no leading underscores) —
should have no effect. If it does, the endpoint is treating that key
specially and the finding is unrelated.
| Variant | Vector | Score |
|---|---|---|
| DoS (crash Node process) | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | 7.5 |
Auth bypass via isAdmin pollution | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 9.1 |
| RCE via spawn gadget | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | 10.0 |
Prototype pollution is almost always the first hop of a chain. After
validation, add an enables edge from the pollution vuln to:
Chain weight 0.4 — pollution is cheap once the merge sink is known.