[ricardobeat]

Indeed, though you'll only manage to break or DDOS the server by doing that.

It seems that the Ghost vulnerability explained in the paper relied on the handlebars engine calling the equivalent of `eval()` on a string value, in the global scope, plus a path traversal vulnerability allowing loading a template from node_modules.

Are there are any other examples of this being exploited in a meaningful way? Even if you end up passing raw user input to key and value, user payloads will never be able to define a function, so the possibilities are very limited. I think having every NPM library that does object assignment using a user-provided key be marked as 'vulnerable to prototype pollution' is quite different from it 'being a problem very often' in practice. Happy to be shown otherwise.

[redmorphium]

It could be serious.

Let's say your company's code is open-source, and the attacker knows there is code somewhere like this:

    let state = getState(); // returns empty {} if user not authenticated

    if (!state.userIsAuthenticated) {
       respond(401);
    }

    showBankAccount();

If the hacker is able to set `Object.prototype.userIsAuthenticated` then the auth check is now bypassed.

So I think the break / DDOS is pretty serious here.