Prototype Pollution

HIGH

nodejs/node

Commit: 784ca7b1c240

Affected: <=25.9.0 (Node.js 25.x prior to this fix)

2026-04-05 11:20 UTC

Description

The commit mitigates a prototype pollution risk by avoiding calls to String.prototype.startsWith with user-controlled input in lib/internal/locks.js. The vulnerable code used name.startsWith('-'); if an attacker can mutate String.prototype.startsWith (prototype pollution), they can bypass the hyphen-prefix check by returning false, potentially allowing lock names starting with '-' to be processed.

Proof of Concept

Prerequisites: Untrusted code can mutate global built-ins (prototype pollution) in the process.\n\n// Proof-of-concept:\n// This demonstrates bypassing the hyphen-prefix check by polluting String.prototype.startsWith\nconst originalStartsWith = String.prototype.startsWith;\nString.prototype.startsWith = function(prefix) {\n  if (prefix === '-') return false; // attacker-controlled override\n  return originalStartsWith.call(this, prefix);\n};\n\nconst name = '-secret';\nconsole.log('name.startsWith(-):', name.startsWith('-'));\ntry {\n  // This mimics the vulnerable check in lib/internal/locks.js\n  if (name.startsWith('-')) {\n    throw new Error('NotSupportedError: Lock name may not start with hyphen');\n  }\n  console.log('Proceed, hyphen-prefix check passed under polluted prototype');\n} catch (e) {\n  console.log('Error:', e.message);\n}\n

Commit Details

Author: Taejin Kim

Date: 2026-01-29 22:27 UTC

Message:

lib: use StringPrototypeStartsWith from primordials in locks

Use StringPrototypeStartsWith from primordials instead of
String.prototype.startsWith to prevent prototype pollution.

Refs: https://github.com/nodejs/node/issues/59699
PR-URL: https://github.com/nodejs/node/pull/61492
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>

Triage Assessment

Vulnerability Type: Prototype Pollution

Confidence: HIGH

Reasoning:

The change replaces a potential prototype pollution surface (String.prototype.startsWith) with a safe access using primordials, mitigating a prototype pollution risk when user-controlled strings are used for checks.

Verification Assessment

Vulnerability Type: Prototype Pollution

Confidence: HIGH

Affected Versions: <=25.9.0 (Node.js 25.x prior to this fix)

Code Diff

diff --git a/lib/internal/locks.js b/lib/internal/locks.js
index b3d605aa8bc79e..054197bcaefcc6 100644
--- a/lib/internal/locks.js
+++ b/lib/internal/locks.js
@@ -159,7 +159,7 @@ class LockManager {
       signal.throwIfAborted();
     }
 
-    if (name.startsWith('-')) {
+    if (name[0] === '-') {
       // If name starts with U+002D HYPHEN-MINUS (-), then reject promise with a
       // "NotSupportedError" DOMException.
       throw lazyDOMException('Lock name may not start with hyphen',

← Back to Alerts View on GitHub →