This is a proof-of-concept repository demonstrating a prototype pollution bypass in JSONata, the popular JSON query and transformation language used in Node-RED, IBM App Connect, and countless serverless data-mapping pipelines. The author shows how JSONata's function binding mechanism can be abused to override hasOwnProperty, defeating one of the most common defensive patterns developers use to guard against prototype pollution.

What makes this PoC interesting is the specific attack surface. Most prototype pollution discussions focus on merge utilities like lodash or jQuery's $.extend. JSONata is a different beast: it's an expression language, and users frequently pass untrusted JSONata expressions through APIs that treat them as "just queries." If your defensive code reads:

• if (Object.prototype.hasOwnProperty.call(obj, key)) — you're probably safe
• if (obj.hasOwnProperty(key)) — this repo shows how that check can be subverted via function binding

The bypass leverages JSONata's $function and binding semantics, which let an expression construct callables that shadow built-in property checks on traversed objects. For anyone running JSONata in a multi-tenant context — SaaS data transformation, low-code platforms, customer-supplied integration logic — this is exactly the kind of nuanced edge case worth understanding before it lands in a CVE.

Who benefits:

• Application security engineers auditing low-code/iPaaS platforms
• Node-RED and IBM App Connect operators who accept user-authored flows
• JavaScript developers wanting a concrete reminder that obj.hasOwnProperty is not a safe check on untrusted objects
• CTF authors looking for fresh, realistic web-exploitation puzzles

The repo is tiny, focused, and reproducible — exactly the format a good PoC should take. Even if you don't ship JSONata, the underlying lesson about expression-language sandboxes is broadly applicable.