@inertiajs/core is vulnerable to Prototype Pollution
63
Medium Risk
The @inertiajs/core package parses URL query strings into nested objects with a custom parser used by mergeDataIntoQueryString. The parser walks bracket-notation keys and assigns them onto a target object without rejecting the special __proto__ key. An attacker who gets a victim to load a URL containing a crafted __proto__ query parameter can modify Object.prototype, injecting properties onto all objects and enabling denial of service or downstream gadget abuse. The fix skips assignment whenever any parsed key equals __proto__.
You are affected if you are using a version that falls within the vulnerable range and your application parses untrusted URL query strings via mergeDataIntoQueryString.
@inertiajs/core is vulnerable to Prototype Pollution in versions 3.0.0 - 3.0.3.
Upgrade the @inertiajs/core library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant