Why AI-generated JavaScript merge code risks prototype pollution

JavaScript developers relying on AI assistants to generate utility functions may unknowingly introduce prototype pollution vulnerabilities into their applications. A recent audit of an AI-crafted deep merge helper revealed a common but dangerous pattern that persists across JavaScript communities and coding tools.

The issue centers on how AI models replicate legacy JavaScript patterns from pre-2020 tutorials. When tasked with writing a deep merge function—common in backend utilities—many assistants default to iterating object properties using for...in, which includes inherited properties like __proto__. This design choice, while common in outdated tutorials, creates an exploitable vector for prototype pollution attacks.

In a practical demonstration, an AI-generated function failed to filter inherited properties, allowing an attacker-controlled input to manipulate the global Object.prototype. The consequences included bypassing authentication checks and modifying application behavior across the entire runtime.

The vulnerable pattern in AI-generated code

A typical AI-generated deep merge function follows this structure:

deepMerge(target, source) {
  for (const key in source) {
    if (source[key] && typeof source[key] === 'object') {
      target[key] = deepMerge(target[key] || {}, source[key]);
    } else {
      target[key] = source[key];
    }
  }
  return target;
}

The vulnerability lies in the use of for...in without explicit protection against inherited properties. While this code works for most cases, it unintentionally allows modification of the object prototype chain through keys like __proto__ or constructor.

Why AI assistants keep producing insecure code

The root cause traces back to training data patterns. From 2013 to 2019, StackOverflow and tutorial websites frequently recommended for...in loops for object iteration, often without security considerations. Modern AI models, trained on these historical sources, replicate this pattern by default because it represents the most statistically common solution.

Security-focused alternatives like Object.hasOwn() or explicit prototype guards exist in the training corpus but appear less frequently in general-purpose coding tutorials. Without explicit security prompts, AI assistants tend to generate the most common—not necessarily the most secure—implementation.

This issue affects multiple AI coding tools. Cursor, Claude Code, and GitHub Copilot have all been observed producing this vulnerable pattern when asked to generate object merging utilities.

How to fix prototype pollution in merge functions

Two straightforward approaches can eliminate the vulnerability without requiring major refactoring:

Guard against inherited properties with `Object.hasOwn()`:

function deepMerge(target, source) {
  for (const key in source) {
    if (!Object.hasOwn(source, key)) continue;
    if (source[key] && typeof source[key] === 'object') {
      target[key] = deepMerge(target[key] || {}, source[key]);
    } else {
      target[key] = source[key];
    }
  }
  return target;
}

This minimal change preserves the original structure while blocking inherited properties like __proto__.

Switch to `Object.keys()` for cleaner iteration:

function deepMerge(target, source) {
  Object.keys(source).forEach(key => {
    if (source[key] && typeof source[key] === 'object') {
      target[key] = deepMerge(target[key] || {}, source[key]);
    } else {
      target[key] = source[key];
    }
  });
  return target;
}

This approach naturally excludes inherited properties while being functionally equivalent.

For applications accepting untrusted input, add validation before merging:

function isSafeObject(obj) {
  return !('__proto__' in obj) && 
         !('constructor' in obj) && 
         !('prototype' in obj);
}

Use this to filter inputs before they reach the merge function.

Beyond utility functions: broader implications

Prototype pollution vulnerabilities extend beyond simple merge utilities. Similar patterns appear in configuration loaders, settings mergers, API patch endpoints, and anywhere user input interacts with application defaults. A thorough codebase audit should search for for (const key in patterns and review every instance.

Early detection remains the most effective defense. Tools like SafeWeave integrate with AI coding assistants to flag dangerous patterns before developers proceed. Even basic static analysis with Semgrep or GitLeaks in pre-commit hooks can catch most occurrences of this vulnerability pattern.

As AI-assisted development accelerates, developers must pair convenience with vigilance. The same tools that accelerate coding also replicate historical patterns—some of which carry significant security risks. Proactive auditing and minimal safeguards can prevent these vulnerabilities from reaching production environments.