Skip to content

Fix prototype pollution in removeAttributeNS#55

Merged
Raynos merged 2 commits intoRaynos:masterfrom
jameswassink:fix/prototype-pollution-removeAttributeNS
Nov 6, 2025
Merged

Fix prototype pollution in removeAttributeNS#55
Raynos merged 2 commits intoRaynos:masterfrom
jameswassink:fix/prototype-pollution-removeAttributeNS

Conversation

@jameswassink
Copy link
Contributor

@jameswassink jameswassink commented Oct 2, 2025

This should prevent the prototype pollution vulnerability raised in #54

@jameswassink jameswassink mentioned this pull request Oct 2, 2025
Open
@danrossi danrossi mentioned this pull request Oct 3, 2025
Closed
jfrej
jfrej reviewed Oct 3, 2025
View reviewed changes
dom-element.js Outdated
DOMElement.prototype.removeAttributeNS =
function _Element_removeAttributeNS(namespace, name) {
var forbiddenKeys = ['__proto__', 'constructor', 'prototype'];
if (forbiddenKeys.includes(name)) {
Copy link

@jfrej jfrej Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would name being any of these keys lead to a prototype pollution?

name is only used in delete attributes[name] below.
I don't think you can pollute the prototype using delete and you can't delete the prototype or constructor either.

skoilakonda
skoilakonda reviewed Oct 3, 2025
View reviewed changes
dom-element.js Outdated
Comment on lines 135 to 137
var attributes = this._attributes[namespace];
if (attributes) {
delete attributes[name]
Copy link

@skoilakonda skoilakonda Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

// Safely access and delete the attribute
const attributes = this._attributes?.[namespace];
if (attributes && Object.prototype.hasOwnProperty.call(attributes, name)) {
    delete attributes[name];
}

Copy link
Contributor Author

@jameswassink jameswassink Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, this makes more sense. I've updated the code.

@nekyouto
Copy link

nekyouto commented Oct 22, 2025

Will there be a new release in npm to rectify this issue? I'm getting this being flagged out when I conduct a OWASP scan.

Looking forward to your inputs.

@danrossi
Copy link

danrossi commented Oct 31, 2025

Is it possible to merge this and make a release. As it's failing audits for many packages including video.js

@patmmccann
Copy link

patmmccann commented Oct 31, 2025

@danrossi the library maintainer indicated it will not be released #54 (comment)

@Raynos Raynos merged commit fe32e8d into Raynos:master Nov 6, 2025
@wasabina67 wasabina67 mentioned this pull request Nov 10, 2025
Merged
dapi added a commit to merchantly/front-public that referenced this pull request Jan 18, 2026
@dapi @claude
security: bump min-document from 2.19.0 to 2.19.2
1739db5 
Fixes prototype pollution vulnerability in removeAttributeNS.

Ref: Raynos/min-document#55
Ref: Raynos/min-document#56

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Raynos Raynos Raynos approved these changes

+5 more reviewers

@jfrej jfrej jfrej left review comments

@skoilakonda skoilakonda skoilakonda left review comments

@karthikeyar9 karthikeyar9 karthikeyar9 approved these changes

@gkonuralp gkonuralp gkonuralp approved these changes

@abhijeetJaisw abhijeetJaisw abhijeetJaisw approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@jameswassink @nekyouto @danrossi @patmmccann @Raynos @karthikeyar9 @jfrej @gkonuralp @skoilakonda @abhijeetJaisw