Intel

AIKIDO-2026-965960

@datadog/browser-core is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

59

Medium Risk

This Affects:

JS@datadog/browser-core
1.25.0 - 7.3.0
Fixed in 7.4.0
Are you affected? Scan for Free

TL;DR

The mergeInto utility in @datadog/browser-core performs a recursive deep merge that assigns into finalDestination[key] without guarding against the __proto__ key. When the merged data originates from untrusted input, such as context passed to the SDK or JSON read from storage and remote configuration via tryJsonParse, the recursion walks into __proto__ and mutates the shared Object.prototype. This lets an attacker inject or override properties on the global object prototype, corrupting application behavior for all objects. The fix skips the __proto__ key during merges in mergeInto (and therefore combine and deepClone) and strips __proto__ from objects returned by tryJsonParse.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@datadog/browser-core is vulnerable to Prototype Pollution in versions 1.25.0 - 7.3.0.

How to fix this

Upgrade the @datadog/browser-core library to the patch version.