DFL-021-25: Prototype Pollution via Query String

Search

API Endpoints

• GET /search?q=term - Search items. Query params are deep-merged into search config.
  Additional params: maxResults, sortBy, caseSensitive
• GET /search/config - View current search configuration
• GET /admin - Admin panel (checks if {}.role === 'admin')
• GET /health - Health check

Vulnerability

The GET /search endpoint deep-merges query parameters into the search configuration object. The query parser is configured with allowPrototypes: true, so qs parses ?__proto__[role]=admin into a nested object with a __proto__ key. The custom merge function does not sanitize __proto__, allowing prototype pollution. After pollution, GET /admin succeeds because {}.role === 'admin'.