What is prototype pollution in JavaScript — its root cause and potential impact?

Prototype pollution happens when an attacker can set properties on Object.prototype (or another object's prototype) via keys like __proto__, constructor, or prototype — typically through an unsafe recursive merge/clone, lodash.merge-style deep-set, or JSON.parse-then-merge of attacker-controlled data. Because nearly every object inherits from Object.prototype, the injected property then appears on objects that never set it, which can corrupt application logic (e.g. inject isAdmin: true), cause DoS, or escalate to RCE/XSS when a polluted property reaches a dangerous sink (template options, child_process options, config). Mitigate by rejecting/skipping __proto__/constructor/prototype keys during merges, using Object.create(null) or Map for untrusted dictionaries, Object.freeze(Object.prototype), and schema validation of input.