Intel

AIKIDO-2026-465810

@inertiajs/core is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 26, 2026

63

Medium Risk

This Affects:

JS@inertiajs/core
3.0.0 - 3.0.3
Fixed in 3.1.0
Are you affected? Scan for Free

TL;DR

The @inertiajs/core package parses URL query strings into nested objects with a custom parser used by mergeDataIntoQueryString. The parser walks bracket-notation keys and assigns them onto a target object without rejecting the special __proto__ key. An attacker who gets a victim to load a URL containing a crafted __proto__ query parameter can modify Object.prototype, injecting properties onto all objects and enabling denial of service or downstream gadget abuse. The fix skips assignment whenever any parsed key equals __proto__.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application parses untrusted URL query strings via mergeDataIntoQueryString.

Background info

@inertiajs/core is vulnerable to Prototype Pollution in versions 3.0.0 - 3.0.3.

How to fix this

Upgrade the @inertiajs/core library to the patch version.