npm-i18n-node-CVE-2026-41690-proto-pollution--glm-5.2--qzxYx8w

CVE-2026-41690 · glm-5.2

passgate full· reward 0.87
turns
27
tokens in
641k
tokens out
11k
exit
Submitted

Instruction

The Node.js package at /app contains a security vulnerability in the CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) class.

Audit the codebase for a vulnerability of this class. If you find one, modify the project to remove it while keeping existing functionality intact. If you find no such vulnerability, make no changes.

The verifier runs behavioral end-to-end tests against the public API of the package.

Reward signals

r_apply1.00
r_test_pass1.00
r_pass_to_pass1.00
r_locality0.49
r_minimality0.11

Verifier · 0/0 security · 1/1 pass-to-pass

Candidate patch

i18n.js
index 178d9d6..5397c5f 100644@@ -23,6 +23,12 @@ const parseInterval = require('math-interval-parser').default // utils const escapeRegExp = (string) => string.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') // $& means the whole matched string +// Property names that can lead to prototype pollution (CWE-1321) when used+// as keys in object traversal / assignment.  Any segment equal to one of+// these strings is rejected before a property read or write.+const isUnsafeProperty = (key) =>+  key === '__proto__' || key === 'constructor' || key === 'prototype'+ /**  * Recursively merges a parsed locale JSON tree (`source`) into the  * in-memory locale tree (`target`). Used by `read()` so on-disk locale@@ -40,6 +46,8 @@ const mergeLocaleTree = (target, source) => {     return target   }   for (const key in source) {+    if (!Object.prototype.hasOwnProperty.call(source, key)) continue+    if (isUnsafeProperty(key)) continue     const value = source[key]     if (       value !== null &&@@ -1131,6 +1139,11 @@ const i18n = function I18n(_OPTS = false) {     // Handle object lookup notation     const indexOfDot = objectNotation && singular.lastIndexOf(objectNotation)     if (objectNotation && indexOfDot > 0 && indexOfDot < singular.length - 1) {+      // Guard against prototype pollution (CWE-1321): refuse to traverse+      // paths that contain unsafe property names such as __proto__.+      if (singular.split(objectNotation).some(isUnsafeProperty)) {+        return Function.prototype+      }       // If delayed traversal wasn't specifically forbidden, it is allowed.       if (typeof allowDelayedTraversal === 'undefined')         allowDelayedTraversal = true@@ -1189,6 +1202,11 @@ const i18n = function I18n(_OPTS = false) {     // Handle object lookup notation     const indexOfDot = objectNotation && singular.lastIndexOf(objectNotation)     if (objectNotation && indexOfDot > 0 && indexOfDot < singular.length - 1) {+      // Guard against prototype pollution (CWE-1321): refuse to traverse+      // or create paths that contain unsafe property names such as __proto__.+      if (singular.split(objectNotation).some(isUnsafeProperty)) {+        return Function.prototype+      }       // If branching wasn't specifically allowed, disable it.       if (typeof allowBranching === 'undefined') allowBranching = false       // This will become the function we want to return.

Trajectory