Intel

AIKIDO-2026-953702

mapbox-gl is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

58

Medium Risk

This Affects:

JSmapbox-gl
1.0.0 - 3.24.1
Fixed in 3.25.0
Are you affected? Scan for Free

TL;DR

Internal registries in mapbox-gl store style layers, source caches, feature state, and 3D model entries in plain object literals keyed by identifiers taken from untrusted style JSON, vector/GeoJSON tiles, or promoteId feature IDs, and the style-spec validator iterates those objects with for...in. A hostile identifier such as __proto__ (delivered through a JSON.parsed style, a source or layer ID, or a feature ID) resolves through the prototype chain, so lookups and Object.assign writes land on Object.prototype instead of an own property. This lets an untrusted style or tile pollute the global object prototype for the page and can also crash style validation with an uncaught error. The fix switches these maps to Object.create(null) and adds Object.hasOwn guards so untrusted keys are handled as own properties.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application loads untrusted style JSON or tile data.

Background info

mapbox-gl is vulnerable to Prototype Pollution in versions 1.0.0 - 3.24.1.

How to fix this

Upgrade the mapbox-gl library to the patch version.