DFL-023-25: Prototype Pollution via Constructor Override

API Endpoints

• POST /api/register - Register a new user. Body: {"username": "...", "password": "..."}
• POST /api/login - Login and receive JWT. Body: {"username": "...", "password": "..."}
• GET /api/config - View current application config (auth required)
• POST /api/config - Update application config via recursive merge (auth required). Body: JSON object
• GET /api/admin/flag - Retrieve flag (requires admin constructor check, auth required)
• GET /health - Health check

Vulnerability

The POST /api/config endpoint uses a vulnerable recursive merge function that does not sanitize __proto__ keys. User sessions are stored as plain objects (not class instances). The admin check uses user.constructor.name === 'AdminUser'.

An attacker can pollute Object.prototype.constructor with {"name": "AdminUser"} via: {"__proto__": {"constructor": {"name": "AdminUser"}}}

After pollution, all plain objects will report their constructor.name as "AdminUser", bypassing the admin check on GET /api/admin/flag.