## GitHub Security Alert: Profile Import Feature Missing Prototype Pollution Guard
A security vulnerability in the profile import function of an application's source code exposes the system to prototype pollution attacks. The `importProfile()` function in `src/store/profile-store.ts` (lines 150–194) parses user-supplied JSON without checking for dangerous keys like `__proto__`, `constructor`, or `prototype`. This oversight creates a medium-severity security hole where maliciously crafted data can corrupt the fundamental `Object.prototype`.

While `JSON.parse()` itself is safe, the parsed object is not sanitized. If this object is later processed using common JavaScript operations like the spread operator (`{...obj}`), `Object.assign()`, or a `for...in` loop, the dangerous properties can be injected into the object prototype. An attacker could submit a payload embedding a `__proto__` key with a value like `{ "isAdmin": true }`, potentially altering the behavior of all objects in the application and leading to privilege escalation or other unpredictable failures.

The immediate impact is a direct risk of prototype pollution, which can cause denial-of-service, bypass security checks, or lead to remote code execution in downstream dependencies. This flaw highlights a critical gap in the data validation layer, where structural checks for required fields like `semesters` and `settings` are performed, but the sanitization for prototype-polluting keys is completely absent. The vulnerability remains active until the import logic is patched to explicitly reject or strip these dangerous properties before any further processing.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, prototype pollution, javascript, code review
- **Credibility**: unverified
- **Published**: 2026-04-05 18:27:00
- **ID**: 50707
- **URL**: https://whisperx.ai/en/intel/50707