lexical is vulnerable to Prototype Pollution
42
Medium Risk
The lexical core editor preserves unknown node-state entries when deserializing serialized editor state. The deserialization path writes keys directly from the parsed JSON, so a crafted payload using a __proto__ key can re-parent the internal state record. Because state lookups resolve keys with the in operator, which walks the prototype chain, this lets an attacker inject state values that override the defaults. The fix skips __proto__, constructor, and prototype keys and copies only own properties when restoring unknown state.
You are affected if you are using a version that falls within the vulnerable range and your application deserializes Lexical editor state from untrusted input.
lexical is vulnerable to Prototype Pollution in versions 0.26.0 - 0.45.0.
Upgrade the lexical library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant