mapbox-gl is vulnerable to Prototype Pollution
58
Medium Risk
Internal registries in mapbox-gl store style layers, source caches, feature state, and 3D model entries in plain object literals keyed by identifiers taken from untrusted style JSON, vector/GeoJSON tiles, or promoteId feature IDs, and the style-spec validator iterates those objects with for...in. A hostile identifier such as __proto__ (delivered through a JSON.parsed style, a source or layer ID, or a feature ID) resolves through the prototype chain, so lookups and Object.assign writes land on Object.prototype instead of an own property. This lets an untrusted style or tile pollute the global object prototype for the page and can also crash style validation with an uncaught error. The fix switches these maps to Object.create(null) and adds Object.hasOwn guards so untrusted keys are handled as own properties.
You are affected if you are using a version that falls within the vulnerable range and your application loads untrusted style JSON or tile data.
mapbox-gl is vulnerable to Prototype Pollution in versions 1.0.0 - 3.24.1.
Upgrade the mapbox-gl library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant