From 4c9e27cd5bd74f1baea8d5a5922a5caf9d69b621 Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Mon, 15 Jun 2026 05:15:13 -0700
Subject: [PATCH] fix(security): prototype pollution via custom attributes in
 beare

In `BearerTokenType.valueOf()`, custom attributes are iterated using `for...in` without proper prototype chain protection. While `Object.prototype.hasOwnProperty.call` is used, if `customAttributes` itself is an object with a polluted prototype (e.g., via `__proto__` or `constructor`), properties from the prototype chain could be included in the token response. Additionally, the constructor allows `customAttributes` to be any object, which could lead to information disclosure or unexpected behavior if malicious properties are passed.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 lib/token-types/bearer-token-type.js | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/lib/token-types/bearer-token-type.js b/lib/token-types/bearer-token-type.js
index 373d8731..a0c836aa 100644
--- a/lib/token-types/bearer-token-type.js
+++ b/lib/token-types/bearer-token-type.js
@@ -57,11 +57,9 @@ class BearerTokenType {
       object.scope = this.scope;
     }
 
-    for (const key in this.customAttributes) {
-      if ( Object.prototype.hasOwnProperty.call(this.customAttributes, key) ) {
-        object[key] = this.customAttributes[key];
-      }
-    }
+    Object.keys(this.customAttributes).forEach((key) => {
+      object[key] = this.customAttributes[key];
+    });
     return object;
   }
 }