npm-i18n-node-CVE-2026-41690-proto-pollution--glm-5.1--S8kWxSx
CVE-2026-41690 · glm-5.1
passgate full· reward 0.87
- turns
- 55
- tokens in
- 1.8M
- tokens out
- 16k
- exit
- Submitted
Instruction
The Node.js package at /app contains a security vulnerability in the
CWE-1321 (Improperly Controlled Modification of Object Prototype
Attributes) class.
Audit the codebase for a vulnerability of this class. If you find one, modify the project to remove it while keeping existing functionality intact. If you find no such vulnerability, make no changes.
The verifier runs behavioral end-to-end tests against the public API of the package.
Reward signals
r_apply1.00
r_test_pass1.00
r_pass_to_pass1.00
r_locality0.55
r_minimality0.00
Verifier · 0/0 security · 1/1 pass-to-pass
Candidate patch
i18n.js
index 178d9d6..e84cabf 100644@@ -40,6 +40,7 @@ const mergeLocaleTree = (target, source) => { return target } for (const key in source) {+ if (key === '__proto__' || key === 'constructor' || key === 'prototype') continue const value = source[key] if ( value !== null &&@@ -1144,6 +1145,7 @@ const i18n = function I18n(_OPTS = false) { singular.split(objectNotation).reduce((object, index) => { // Make the accessor return null. accessor = nullAccessor+ if (index === '__proto__' || index === 'constructor' || index === 'prototype') return null // If our current target object (in the locale tree) doesn't have a // defined value at the next subterm... if (object === null || object[index] === undefined) {@@ -1203,6 +1205,7 @@ const i18n = function I18n(_OPTS = false) { singular.split(objectNotation).reduce((object, index) => { // Make the mutator do nothing. accessor = nullAccessor+ if (index === '__proto__' || index === 'constructor' || index === 'prototype') return null // If our current target object (in the locale tree) doesn't have a // defined value at the next subterm... if (object === null || object[index] === undefined) {