The copyProps function in lib/src/object/copy.ts uses for...in to iterate over source object properties without an Object.hasOwnProperty check, and does not filter dangerous keys ( proto , constructor, prototype). This allows an attacker to pollute the prototype chain of all objects in the application.

In copyProps() (copy.ts lines 186-191), the code iterates all enumerable properties including inherited ones and dangerous keys like proto . Any object with a proto key (e.g., from untrusted JSON input) will overwrite the target's prototype.

const malicious = JSON.parse('{" proto ": {"polluted": true}}');
objDeepCopy(malicious);
console.log({}.polluted); // true

Add objHasOwnProperty check and filter proto , constructor, prototype keys.