@datadog/browser-core is vulnerable to Prototype Pollution
59
Medium Risk
The mergeInto utility in @datadog/browser-core performs a recursive deep merge that assigns into finalDestination[key] without guarding against the __proto__ key. When the merged data originates from untrusted input, such as context passed to the SDK or JSON read from storage and remote configuration via tryJsonParse, the recursion walks into __proto__ and mutates the shared Object.prototype. This lets an attacker inject or override properties on the global object prototype, corrupting application behavior for all objects. The fix skips the __proto__ key during merges in mergeInto (and therefore combine and deepClone) and strips __proto__ from objects returned by tryJsonParse.
You are affected if you are using a version that falls within the vulnerable range.
@datadog/browser-core is vulnerable to Prototype Pollution in versions 1.25.0 - 7.3.0.
Upgrade the @datadog/browser-core library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant