Cp-57

**Name of the Vulnerable Software and Affected Versions** NocoDB versions prior to 0.301.0 **Description** An authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint. This causes all database write operations to fail application-wide until server restart. The issue stems from the `deepMerge()` function in `packages/nocodb/src/utils/dataUtils.ts`, which does not sanitize keys like ` proto `, `constructor`, and `prototype`. The `testConnection` endpoint in `packages/nocodb/src/controllers/utils.controller.ts` passes user-controlled input directly to `deepMerge()`. Sending a payload like `{" proto ": {"super": true}}` writes the `super` property to `Object.prototype`, impacting all plain objects in the Node.js process. The vulnerable function is `deepMerge()`. The vulnerable parameter is `body`. **Recommendations** Versions prior to 0.301.0 should be updated to version 0.301.0 or later.