node-cache - fix: prototype pollution vulnerability in mget methods (#1613)

jaredwray · claude · web-flow · commit d55398f46913 · 2026-03-27T10:00:35.000-07:00
* fix: prevent prototype pollution in node-cache mget() Use Object.create(null) for mget() result objects in both NodeCache and NodeCacheStore so that __proto__ keys are treated as plain properties instead of polluting Object.prototype. Fixes #1612 https://claude.ai/code/session_01MhMFGu517ERhcLM4M5DsM8 * fix: strengthen prototype pollution tests with own-property assertions Replace result.__proto__ value check with Object.getPrototypeOf(result) === null and Object.hasOwn(result, "__proto__") assertions that actually verify the Object.create(null) fix rather than passing vacuously. https://claude.ai/code/session_01MhMFGu517ERhcLM4M5DsM8 --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/packages/node-cache/src/index.ts b/packages/node-cache/src/index.ts
@@ -267,7 +267,10 @@ export class NodeCache<T> extends Hookified {
 	public mget<V = T>(
 		keys: Array<string | number>,
 	): Record<string, V | undefined> {
-		const result: Record<string, V | undefined> = {};
+		const result: Record<string, V | undefined> = Object.create(null) as Record<
+			string,
+			V | undefined
+		>;
 
 		for (const key of keys) {
 			const value = this.get(key);
diff --git a/packages/node-cache/src/store.ts b/packages/node-cache/src/store.ts
@@ -118,7 +118,10 @@ export class NodeCacheStore<T> extends Hookified {
 	public async mget<V = T>(
 		keys: Array<string | number>,
 	): Promise<Record<string, V | undefined>> {
-		const result: Record<string, V | undefined> = {};
+		const result: Record<string, V | undefined> = Object.create(null) as Record<
+			string,
+			V | undefined
+		>;
 		for (const key of keys) {
 			const value = await this._keyv.get<V>(key.toString());
 			if (value === undefined) {
diff --git a/packages/node-cache/test/index.test.ts b/packages/node-cache/test/index.test.ts
@@ -93,6 +93,15 @@ describe("NodeCache", () => {
 		expect(list[key2]).toBe(value2);
 	});
 
+	test("should not pollute Object.prototype via mget with __proto__ key", () => {
+		cache.set("__proto__", { polluted: true });
+		const result = cache.mget(["__proto__"]);
+		// biome-ignore lint/suspicious/noExplicitAny: testing prototype pollution
+		expect((Object.prototype as any).polluted).toBeUndefined();
+		expect(Object.getPrototypeOf(result)).toBeNull();
+		expect(Object.hasOwn(result, "__proto__")).toBe(true);
+	});
+
 	test("should take a key", () => {
 		const key = faker.string.uuid();
 		const val = faker.lorem.word();
diff --git a/packages/node-cache/test/store.test.ts b/packages/node-cache/test/store.test.ts
@@ -72,6 +72,15 @@ describe("NodeCacheStore", () => {
 		const result1 = await store.mget(["test1", "test2"]);
 		expect(result1).toEqual({ test1: "value1", test2: "value2" });
 	});
+	test("should not pollute Object.prototype via mget with __proto__ key", async () => {
+		const store = new NodeCacheStore();
+		await store.set("__proto__", { polluted: true });
+		const result = await store.mget(["__proto__"]);
+		// biome-ignore lint/suspicious/noExplicitAny: testing prototype pollution
+		expect((Object.prototype as any).polluted).toBeUndefined();
+		expect(Object.getPrototypeOf(result)).toBeNull();
+		expect(Object.hasOwn(result, "__proto__")).toBe(true);
+	});
 	test("should be able to set multiple keys", async () => {
 		const store = new NodeCacheStore();
 		const data = [
