DFL-019-25: Prototype Pollution via Config Merge

API Endpoints

• POST /api/register - Register a new user. Body: {"username": "...", "password": "..."}
• POST /api/login - Login and receive JWT. Body: {"username": "...", "password": "..."}
• GET /api/config - View current application config (auth required)
• POST /api/settings - Update application config via deep merge (auth required). Body: JSON object to merge into config
• GET /api/admin/flag - Retrieve flag (admin access required, auth required)
• GET /health - Health check

Vulnerability

The POST /api/settings endpoint uses a vulnerable deep merge function that does not sanitize __proto__ keys, allowing prototype pollution. An attacker can pollute Object.prototype.isAdmin to gain admin access.