Summary
Currently, Axios provides a basic __proto__ check in /lib/helpers/formDataToJSON.js
to prevent prototype pollution. However, other dangerous keys such as constructor
and prototype can still potentially be used to manipulate object prototypes.
### Steps to Reproduce
**While the risk is mitigated in most environments, the following edge case demonstrates
a potential unsafe assignment if data is parsed directly into an object:
```js
const payload = { constructor: { prototype: { hacked: true } } };
fix(helper): extend prototype pollution protection in formDataToJSON
Summary
Improved prototype pollution protection in formDataToJSON.js by extending
the existing __proto__ check to also guard against constructor and prototype keys.
Changes
Added check for constructor and prototype in key filtering logic
Added unit tests to confirm unsafe keys are ignored
Verified no performance regression in helper execution
Motivation
This is a security hardening change to prevent potential prototype
pollution when converting user-supplied FormData to JSON.
Notes
No breaking changes
Fully backward-compatible
Low-risk, localized patch
Fixes #7209**
Summary
Currently, Axios provides a basic
__proto__check in/lib/helpers/formDataToJSON.jsto prevent prototype pollution. However, other dangerous keys such as
constructorand
prototypecan still potentially be used to manipulate object prototypes.