npm-i18n-node-CVE-2026-41690-proto-pollution--deepseek-v4-pro--W2q4ecD

CVE-2026-41690 · deepseek-v4-pro

passgate full· reward 0.90
turns
117
tokens in
4.4M
tokens out
37k
exit
Submitted

Instruction

The Node.js package at /app contains a security vulnerability in the CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) class.

Audit the codebase for a vulnerability of this class. If you find one, modify the project to remove it while keeping existing functionality intact. If you find no such vulnerability, make no changes.

The verifier runs behavioral end-to-end tests against the public API of the package.

Reward signals

r_apply1.00
r_test_pass1.00
r_pass_to_pass1.00
r_locality0.44
r_minimality0.59

Verifier · 0/0 security · 1/1 pass-to-pass

Candidate patch

i18n.js
index 178d9d6..98d26c7 100644@@ -40,6 +40,7 @@ const mergeLocaleTree = (target, source) => {     return target   }   for (const key in source) {+    if (key === "__proto__" || key === "constructor" || key === "prototype") continue;     const value = source[key]     if (       value !== null &&@@ -1097,7 +1098,13 @@ const i18n = function I18n(_OPTS = false) {       write(locale)     } -    return accessor()+    // Fallback to default value if accessor returns null+    // (e.g. when key path is blocked for security)+    let result = accessor()+    if (result === null) {+      result = defaultSingular || singular+    }+    return result   }    /**@@ -1142,6 +1149,12 @@ const i18n = function I18n(_OPTS = false) {       let reTraverse = false       // Split the provided term and run the callback for each subterm.       singular.split(objectNotation).reduce((object, index) => {+        // Protect against prototype pollution (CWE-1321)+        if (index === "__proto__" || index === "constructor" || index === "prototype") {+          accessor = nullAccessor+          reTraverse = allowDelayedTraversal+          return null+        }         // Make the accessor return null.         accessor = nullAccessor         // If our current target object (in the locale tree) doesn't have a@@ -1165,6 +1178,10 @@ const i18n = function I18n(_OPTS = false) {         reTraverse ? localeAccessor(locale, singular, false)() : accessor()     } else {       // No object notation, just return an accessor that performs array lookup.+      // Protect against prototype pollution (CWE-1321)+      if (singular === "__proto__" || singular === "constructor" || singular === "prototype") {+        return () => null+      }       return () => locales[locale][singular]     }   }@@ -1201,6 +1218,11 @@ const i18n = function I18n(_OPTS = false) {       let reTraverse = false       // Split the provided term and run the callback for each subterm.       singular.split(objectNotation).reduce((object, index) => {+        // Protect against prototype pollution (CWE-1321)+        if (index === "__proto__" || index === "constructor" || index === "prototype") {+          accessor = (value) => value+          return null+        }         // Make the mutator do nothing.         accessor = nullAccessor         // If our current target object (in the locale tree) doesn't have a@@ -1249,6 +1271,10 @@ const i18n = function I18n(_OPTS = false) {       }     } else {       // No object notation, just return a mutator that performs array lookup and changes the value.+      // Protect against prototype pollution (CWE-1321)+      if (singular === "__proto__" || singular === "constructor" || singular === "prototype") {+        return (value) => value+      }       return (value) => {         value = missingKeyFn(locale, value)         locales[locale][singular] = value

Trajectory