What is prototype pollution in JavaScript?

Prototype pollution is a security vulnerability where an attacker modifies Object.prototype, causing all objects in the application to inherit the malicious property. Example: if a library does obj[key] = value without sanitizing key, and an attacker passes key = "__proto__" or key = "constructor", they can add properties to Object.prototype that affect ALL objects. Impact: corrupts data, bypasses security checks, and can lead to remote code execution. Common sources: deep merge/clone functions, JSON parsing with user input as keys, template rendering libraries. Prevention: validate/sanitize input keys — reject __proto__, constructor, prototype. Use Object.create(null) for dictionaries (no prototype). Use Object.freeze(Object.prototype). Use Map instead of plain objects for user-controlled key-value stores. Modern libraries like Lodash have patched prototype pollution vulnerabilities — keep dependencies updated. This is a critical security concern in Node.js applications handling user input.