Python Class Pollution

Class pollution is a vulnerability class where an attacker traverses Python’s runtime object graph through dunder attributes such as __class__, __init__, __globals__, and sys.modules, and overwrites attributes in unintended classes, functions, or modules. The traversal is driven by a reflective attribute or item access loop whose path or keys come from untrusted input.

It is the Python analogue of JavaScript prototype pollution, but the primitives are richer: Python’s class-based object model with a flexible reflection layer lets pollution reach classes, functions, modules, and descriptor slots.

Roadmap

This wiki is organized into the following sections. Most readers can pick the entry point that matches their goal:

  • Taxonomy: the building blocks of a class pollution vulnerability. Catalogs the atomic get/set operations Python exposes and the pollution primitives that compose into the six class pollution variants.
  • Pollution Targets: runtime objects (classes, modules, functions) that are reachable via reflection and that meaningfully change program behavior when modified.
  • Gadgets: existing read-then-sink code in the standard library, third-party packages, or the application itself that turns a pollution primitive into RCE, XSS, Auth Bypass, or DoS.
  • Tool: documentation for Pyrl (the detection tool, built on operational taint analysis over CodeQL) and Polluter (an exploitation/testing helper).
  • Collection: assigned CVEs and end-to-end showcase walkthroughs of confirmed class pollution vulnerabilities, plus a full Catalog of 76 packages with proof-of-concept exploits.
  • Defense: mitigations along the object resolution path, including key sanitization at the “get” primitive and guards at the “set” primitive.

About this wiki

This wiki accompanies our IEEE S&P 2026 paper The First Large-Scale Systematic Study of Python Class Pollution Vulnerability. Its goal is to be a living reference for the vulnerability class. Concretely, we want it to:

  • Document the taxonomy, targets, and gadgets in a way that is easier to extend than a PDF.
  • Track new CVEs, gadgets, and showcases as they are discovered.
  • Provide actionable defense guidance for library and application maintainers.

Contributions

Contributions are welcome: new gadgets, additional showcases, corrections, and translations. The site is built with Hugo from markdown sources under website/source/. To propose a change, open an issue or a pull request on the repo: https://github.com/jackfromeast/python-class-pollution.

References

  1. Abdulraheem Khaled, “Prototype Pollution in Python.” 2023. Link. Also presented at Black Hat MEA 2023, Link.
  2. Ziyi Ouyang, “Research and Explore of Prototype Pollution Attack in Python.” ACCTCS 2023. Link.
  3. Qingyun Zhang, “Exploitation and prevention of Python prototype chain pollution.” Applied and Computational Engineering,43,229-236. Link.
  4. Zhengyu Liu, Jiacheng Zhong, Jianjia Yu, Muxi Lyu, Zifeng Kang, Yinzhi Cao, “The First Large-Scale Systematic Study of Python Class Pollution Vulnerability.” IEEE S&P 2026. Link.