diff --git a/README.md b/README.md
index 02ce36d7..c2c869d6 100644
--- a/README.md
+++ b/README.md
@@ -182,14 +182,20 @@ else {
 
 ## API
 
-#### `jsonpatch.applyPatch<T>(document: any, patch: Operation[], validateOperation: Boolean | Function = false): OperationResult<T>[]`
+#### `function applyPatch<T>(document: T, patch: Operation[], validateOperation?: boolean | Validator<T>, mutateDocument: boolean = true, banPrototypeModifications: boolean = true): PatchResult<T>`
 
 Applies `patch` array on `obj`.
 
+- `document` The document to patch
+- `patch` a JSON-Patch array of operations to apply
+- `validateOperation` Boolean for whether to validate each operation with our default validator, or to pass a validator callback
+- `mutateDocument` Whether to mutate the original document or clone it before applying
+- `banPrototypeModifications`  Whether to ban modifications to `__proto__`, defaults to `true`.
+
 An invalid patch results in throwing an error (see `jsonpatch.validate` for more information about the error object).
 
 It modifies the `document` object and `patch` - it gets the values by reference.
-If you would like to avoid touching your values, clone them: `jsonpatch.applyPatch(document, jsonpatch.deepClone(patch))`.
+If you would like to avoid touching your `patch` array values, clone them: `jsonpatch.applyPatch(document, jsonpatch.deepClone(patch))`.
 
 Returns an array of [`OperationResult`](#operationresult-type) objects - one item for each item in `patches`, each item is an object `{newDocument: any, test?: boolean, removed?: any}`.
 
@@ -197,13 +203,13 @@ Returns an array of [`OperationResult`](#operationresult-type) objects - one ite
 * `remove`, `replace` and `move` - original object that has been removed
 * `add` (only when adding to an array) - index at which item has been inserted (useful when using `-` alias)
 
-** Note: It throws `TEST_OPERATION_FAILED` error if `test` operation fails. **
-
-** Note II: the returned array has `newDocument` property that you can use as the final state of the patched document **.
+- ** Note: It throws `TEST_OPERATION_FAILED` error if `test` operation fails. **
+- ** Note II: the returned array has `newDocument` property that you can use as the final state of the patched document **.
+- ** Note III: By default, when `banPrototypeModifications` is `true`, this method throws a `TypeError` when you attempt to modify an object's prototype.
 
 - See [Validation notes](#validation-notes).
 
-#### `applyOperation<T>(document: any, operation: Operation, validateOperation: <Boolean | Function> = false, mutateDocument = true): OperationResult<T>`
+#### `function applyOperation<T>(document: T, operation: Operation, validateOperation: boolean | Validator<T> = false, mutateDocument: boolean = true, banPrototypeModifications: boolean = true): OperationResult<T>`
 
 Applies single operation object `operation` on `document`.
 
@@ -211,13 +217,15 @@ Applies single operation object `operation` on `document`.
 - `operation` The operation to apply
 - `validateOperation` Whether to validate the operation, or to pass a validator callback
 - `mutateDocument` Whether to mutate the original document or clone it before applying
+- `banPrototypeModifications` Whether to ban modifications to `__proto__`, defaults to `true`.
 
 It modifies the `document` object and `operation` - it gets the values by reference.
 If you would like to avoid touching your values, clone them: `jsonpatch.applyOperation(document, jsonpatch.deepClone(operation))`.
 
 Returns an [`OperationResult`](#operationresult-type) object `{newDocument: any, test?: boolean, removed?: any}`.
 
-** Note: It throws `TEST_OPERATION_FAILED` error if `test` operation fails. **
+- ** Note: It throws `TEST_OPERATION_FAILED` error if `test` operation fails. **
+- ** Note II: By default, when `banPrototypeModifications` is `true`, this method throws a `TypeError` when you attempt to modify an object's prototype.
 
 - See [Validation notes](#validation-notes).
 
diff --git a/dist/fast-json-patch.js b/dist/fast-json-patch.js
index 945d3f53..991829f1 100644
--- a/dist/fast-json-patch.js
+++ b/dist/fast-json-patch.js
@@ -347,11 +347,13 @@ exports.getValueByPointer = getValueByPointer;
  * @param operation The operation to apply
  * @param validateOperation `false` is without validation, `true` to use default jsonpatch's validation, or you can pass a `validateOperation` callback to be used for validation.
  * @param mutateDocument Whether to mutate the original document or clone it before applying
+ * @param banPrototypeModifications Whether to ban modifications to `__proto__`, defaults to `true`.
  * @return `{newDocument, result}` after the operation
  */
-function applyOperation(document, operation, validateOperation, mutateDocument) {
+function applyOperation(document, operation, validateOperation, mutateDocument, banPrototypeModifications) {
     if (validateOperation === void 0) { validateOperation = false; }
     if (mutateDocument === void 0) { mutateDocument = true; }
+    if (banPrototypeModifications === void 0) { banPrototypeModifications = true; }
     if (validateOperation) {
         if (typeof validateOperation == 'function') {
             validateOperation(operation, 0, document, operation.path);
@@ -425,6 +427,9 @@ function applyOperation(document, operation, validateOperation, mutateDocument)
         }
         while (true) {
             key = keys[t];
+            if (banPrototypeModifications && key == '__proto__') {
+                throw new TypeError('JSON-Patch: modifying `__proto_` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
+            }
             if (validateOperation) {
                 if (existingPathFragment === undefined) {
                     if (obj[key] === undefined) {
@@ -490,10 +495,12 @@ exports.applyOperation = applyOperation;
  * @param patch The patch to apply
  * @param validateOperation `false` is without validation, `true` to use default jsonpatch's validation, or you can pass a `validateOperation` callback to be used for validation.
  * @param mutateDocument Whether to mutate the original document or clone it before applying
+ * @param banPrototypeModifications Whether to ban modifications to `__proto__`, defaults to `true`.
  * @return An array of `{newDocument, result}` after the patch
  */
-function applyPatch(document, patch, validateOperation, mutateDocument) {
+function applyPatch(document, patch, validateOperation, mutateDocument, banPrototypeModifications) {
     if (mutateDocument === void 0) { mutateDocument = true; }
+    if (banPrototypeModifications === void 0) { banPrototypeModifications = true; }
     if (validateOperation) {
         if (!Array.isArray(patch)) {
             throw new exports.JsonPatchError('Patch sequence must be an array', 'SEQUENCE_NOT_AN_ARRAY');
@@ -504,7 +511,7 @@ function applyPatch(document, patch, validateOperation, mutateDocument) {
     }
     var results = new Array(patch.length);
     for (var i = 0, length_1 = patch.length; i < length_1; i++) {
-        results[i] = applyOperation(document, patch[i], validateOperation);
+        results[i] = applyOperation(document, patch[i], validateOperation, true, banPrototypeModifications);
         document = results[i].newDocument; // in case root was replaced
     }
     results.newDocument = document;
diff --git a/dist/fast-json-patch.min.js b/dist/fast-json-patch.min.js
index ec817fb1..6e7399f5 100644
--- a/dist/fast-json-patch.min.js
+++ b/dist/fast-json-patch.min.js
@@ -1,2 +1,2 @@
 /*! fast-json-patch, version: 2.0.7 */
-var jsonpatch=function(a){function b(d){if(c[d])return c[d].exports;var e=c[d]={i:d,l:!1,exports:{}};return a[d].call(e.exports,e,e.exports,b),e.l=!0,e.exports}var c={};return b.m=a,b.c=c,b.i=function(a){return a},b.d=function(a,c,d){b.o(a,c)||Object.defineProperty(a,c,{configurable:!1,enumerable:!0,get:d})},b.n=function(a){var c=a&&a.__esModule?function(){return a['default']}:function(){return a};return b.d(c,'a',c),c},b.o=function(a,b){return Object.prototype.hasOwnProperty.call(a,b)},b.p='',b(b.s=3)}([function(a,b){function c(a,b){return i.call(a,b)}function d(a){if(Array.isArray(a)){for(var b=Array(a.length),d=0;d<b.length;d++)b[d]=''+d;return b}if(Object.keys)return Object.keys(a);var b=[];for(var e in a)c(a,e)&&b.push(e);return b}function e(a){return-1===a.indexOf('/')&&-1===a.indexOf('~')?a:a.replace(/~/g,'~0').replace(/\//g,'~1')}function f(a,b){var d;for(var g in a)if(c(a,g)){if(a[g]===b)return e(g)+'/';if('object'==typeof a[g]&&(d=f(a[g],b),''!=d))return e(g)+'/'+d}return''}function g(a){if(a===void 0)return!0;if(a)if(Array.isArray(a)){for(var b=0,c=a.length;b<c;b++)if(g(a[b]))return!0;}else if('object'==typeof a)for(var e=d(a),f=e.length,b=0;b<f;b++)if(g(a[e[b]]))return!0;return!1}var h=this&&this.__extends||function(a,c){function b(){this.constructor=a}for(var d in c)c.hasOwnProperty(d)&&(a[d]=c[d]);a.prototype=null===c?Object.create(c):(b.prototype=c.prototype,new b)},i=Object.prototype.hasOwnProperty;b.hasOwnProperty=c,b._objectKeys=d;b._deepClone=function(a){switch(typeof a){case'object':return JSON.parse(JSON.stringify(a));case'undefined':return null;default:return a;}},b.isInteger=function(a){for(var b,c=0,d=a.length;c<d;){if(b=a.charCodeAt(c),48<=b&&57>=b){c++;continue}return!1}return!0},b.escapePathComponent=e,b.unescapePathComponent=function(a){return a.replace(/~1/g,'/').replace(/~0/g,'~')},b._getPathRecursive=f,b.getPath=function(a,b){if(a===b)return'/';var c=f(a,b);if(''===c)throw new Error('Object not found in root');return'/'+c},b.hasUndefined=g;var j=function(a){function b(b,c,d,e,f){a.call(this,b),this.message=b,this.name=c,this.index=d,this.operation=e,this.tree=f}return h(b,a),b}(Error);b.PatchError=j},function(a,b,c){function d(a,b){if(''==b)return a;var c={op:'_get',path:b};return e(a,c),c.value}function e(a,c,e,f){if(void 0===e&&(e=!1),void 0===f&&(f=!0),e&&('function'==typeof e?e(c,0,a,c.path):g(c,0)),''===c.path){var h={newDocument:a};if('add'===c.op)return h.newDocument=c.value,h;if('replace'===c.op)return h.newDocument=c.value,h.removed=a,h;if('move'===c.op||'copy'===c.op)return h.newDocument=d(a,c.from),'move'===c.op&&(h.removed=a),h;if('test'===c.op){if(h.test=k(a,c.value),!1===h.test)throw new b.JsonPatchError('Test operation failed','TEST_OPERATION_FAILED',0,c,a);return h.newDocument=a,h}if('remove'===c.op)return h.removed=a,h.newDocument=null,h;if('_get'===c.op)return c.value=a,h;if(e)throw new b.JsonPatchError('Operation `op` property is not one of operations defined in RFC-6902','OPERATION_OP_INVALID',0,c,a);else return h}else{f||(a=l._deepClone(a));var i,j,o,p=c.path||'',q=p.split('/'),r=a,s=1,t=q.length;for(o='function'==typeof e?e:g;;){if(j=q[s],e&&void 0==i&&(void 0===r[j]?i=q.slice(0,s).join('/'):s==t-1&&(i=c.path),void 0!==i&&o(c,0,a,i)),s++,Array.isArray(r)){if('-'===j)j=r.length;else if(e&&!l.isInteger(j))throw new b.JsonPatchError('Expected an unsigned base-10 integer value, making the new referenced value the array element with the zero-based index','OPERATION_PATH_ILLEGAL_ARRAY_INDEX',0,c.path,c);else l.isInteger(j)&&(j=~~j);if(s>=t){if(e&&'add'===c.op&&j>r.length)throw new b.JsonPatchError('The specified index MUST NOT be greater than the number of elements in the array','OPERATION_VALUE_OUT_OF_BOUNDS',0,c.path,c);var h=n[c.op].call(c,r,j,a);if(!1===h.test)throw new b.JsonPatchError('Test operation failed','TEST_OPERATION_FAILED',0,c,a);return h}}else if(j&&-1!=j.indexOf('~')&&(j=l.unescapePathComponent(j)),s>=t){var h=m[c.op].call(c,r,j,a);if(!1===h.test)throw new b.JsonPatchError('Test operation failed','TEST_OPERATION_FAILED',0,c,a);return h}r=r[j]}}}function f(a,c,d,f){if(void 0===f&&(f=!0),d&&!Array.isArray(c))throw new b.JsonPatchError('Patch sequence must be an array','SEQUENCE_NOT_AN_ARRAY');f||(a=l._deepClone(a));for(var g=Array(c.length),h=0,i=c.length;h<i;h++)g[h]=e(a,c[h],d),a=g[h].newDocument;return g.newDocument=a,g}function g(a,c,d,e){if('object'!=typeof a||null===a||Array.isArray(a))throw new b.JsonPatchError('Operation is not an object','OPERATION_NOT_AN_OBJECT',c,a,d);else if(!m[a.op])throw new b.JsonPatchError('Operation `op` property is not one of operations defined in RFC-6902','OPERATION_OP_INVALID',c,a,d);else if('string'!=typeof a.path)throw new b.JsonPatchError('Operation `path` property is not a string','OPERATION_PATH_INVALID',c,a,d);else if(0!==a.path.indexOf('/')&&0<a.path.length)throw new b.JsonPatchError('Operation `path` property must start with "/"','OPERATION_PATH_INVALID',c,a,d);else if(('move'===a.op||'copy'===a.op)&&'string'!=typeof a.from)throw new b.JsonPatchError('Operation `from` property is not present (applicable in `move` and `copy` operations)','OPERATION_FROM_REQUIRED',c,a,d);else if(('add'===a.op||'replace'===a.op||'test'===a.op)&&a.value===void 0)throw new b.JsonPatchError('Operation `value` property is not present (applicable in `add`, `replace` and `test` operations)','OPERATION_VALUE_REQUIRED',c,a,d);else if(('add'===a.op||'replace'===a.op||'test'===a.op)&&l.hasUndefined(a.value))throw new b.JsonPatchError('Operation `value` property is not present (applicable in `add`, `replace` and `test` operations)','OPERATION_VALUE_CANNOT_CONTAIN_UNDEFINED',c,a,d);else if(d)if('add'==a.op){var f=a.path.split('/').length,g=e.split('/').length;if(f!==g+1&&f!==g)throw new b.JsonPatchError('Cannot perform an `add` operation at the desired path','OPERATION_PATH_CANNOT_ADD',c,a,d)}else if('replace'===a.op||'remove'===a.op||'_get'===a.op){if(a.path!==e)throw new b.JsonPatchError('Cannot perform the operation at a path that does not exist','OPERATION_PATH_UNRESOLVABLE',c,a,d);}else if('move'===a.op||'copy'===a.op){var i={op:'_get',path:a.from,value:void 0},j=h([i],d);if(j&&'OPERATION_PATH_UNRESOLVABLE'===j.name)throw new b.JsonPatchError('Cannot perform the operation from a path that does not exist','OPERATION_FROM_UNRESOLVABLE',c,a,d)}}function h(a,c,d){try{if(!Array.isArray(a))throw new b.JsonPatchError('Patch sequence must be an array','SEQUENCE_NOT_AN_ARRAY');if(c)f(l._deepClone(c),l._deepClone(a),d||!0);else{d=d||g;for(var e=0;e<a.length;e++)d(a[e],e,c,void 0)}}catch(a){if(a instanceof b.JsonPatchError)return a;throw a}}var i={strict:!0},j=c(2),k=function(c,a){return j(c,a,i)},l=c(0);b.JsonPatchError=l.PatchError,b.deepClone=l._deepClone;var m={add:function(a,b,c){return a[b]=this.value,{newDocument:c}},remove:function(a,b,c){var d=a[b];return delete a[b],{newDocument:c,removed:d}},replace:function(a,b,c){var d=a[b];return a[b]=this.value,{newDocument:c,removed:d}},move:function(a,b,c){var f=d(c,this.path);f&&(f=l._deepClone(f));var g=e(c,{op:'remove',path:this.from}).removed;return e(c,{op:'add',path:this.path,value:g}),{newDocument:c,removed:f}},copy:function(a,b,c){var f=d(c,this.from);return e(c,{op:'add',path:this.path,value:l._deepClone(f)}),{newDocument:c}},test:function(a,b,c){return{newDocument:c,test:k(a[b],this.value)}},_get:function(a,b,c){return this.value=a[b],{newDocument:c}}},n={add:function(a,b,c){return l.isInteger(b)?a.splice(b,0,this.value):a[b]=this.value,{newDocument:c,index:b}},remove:function(a,b,c){var d=a.splice(b,1);return{newDocument:c,removed:d[0]}},replace:function(a,b,c){var d=a[b];return a[b]=this.value,{newDocument:c,removed:d}},move:m.move,copy:m.copy,test:m.test,_get:m._get};b.getValueByPointer=d,b.applyOperation=e,b.applyPatch=f,b.applyReducer=function(a,c){var d=e(a,c);if(!1===d.test)throw new b.JsonPatchError('Test operation failed','TEST_OPERATION_FAILED',0,c,a);return d.newDocument},b.validator=g,b.validate=h},function(a,b,c){function d(a){return null===a||a===void 0}function e(a){return a&&'object'==typeof a&&'number'==typeof a.length&&('function'!=typeof a.copy||'function'!=typeof a.slice?!1:0<a.length&&'number'!=typeof a[0]?!1:!0)}function f(c,f,l){var m,i;if(d(c)||d(f))return!1;if(c.prototype!==f.prototype)return!1;if(j(c))return!!j(f)&&(c=g.call(c),f=g.call(f),k(c,f,l));if(e(c)){if(!e(f))return!1;if(c.length!==f.length)return!1;for(m=0;m<c.length;m++)if(c[m]!==f[m])return!1;return!0}try{var n=h(c),o=h(f)}catch(a){return!1}if(n.length!=o.length)return!1;for(n.sort(),o.sort(),m=n.length-1;0<=m;m--)if(n[m]!=o[m])return!1;for(m=n.length-1;0<=m;m--)if(i=n[m],!k(c[i],f[i],l))return!1;return typeof c==typeof f}var g=Array.prototype.slice,h=c(5),j=c(4),k=a.exports=function(a,b,c){return c||(c={}),a===b||(a instanceof Date&&b instanceof Date?a.getTime()===b.getTime():a&&b&&('object'==typeof a||'object'==typeof b)?f(a,b,c):c.strict?a===b:a==b)}},function(a,b,c){function d(a){return o.get(a)}function e(a,b){return a.observers.get(b)}function f(a,b){a.observers.delete(b.callback)}function g(a){var b=o.get(a.object);h(b.value,a.object,a.patches,''),a.patches.length&&l.applyPatch(b.value,a.patches);var c=a.patches;return 0<c.length&&(a.patches=[],a.callback&&a.callback(c)),c}function h(a,b,c,d){if(b!==a){'function'==typeof b.toJSON&&(b=b.toJSON());for(var e=k._objectKeys(b),f=k._objectKeys(a),g=!1,i=!1,j=f.length-1;0<=j;j--){var l=f[j],m=a[l];if(k.hasOwnProperty(b,l)&&(void 0!==b[l]||void 0===m||!1!==Array.isArray(b))){var n=b[l];'object'==typeof m&&null!=m&&'object'==typeof n&&null!=n?h(m,n,c,d+'/'+k.escapePathComponent(l)):m!==n&&(g=!0,c.push({op:'replace',path:d+'/'+k.escapePathComponent(l),value:k._deepClone(n)}))}else c.push({op:'remove',path:d+'/'+k.escapePathComponent(l)}),i=!0}if(i||e.length!=f.length)for(var l,j=0;j<e.length;j++)l=e[j],k.hasOwnProperty(a,l)||void 0===b[l]||c.push({op:'add',path:d+'/'+k.escapePathComponent(l),value:k._deepClone(b[l])})}}var i={strict:!0},j=c(2),k=c(0),l=c(1),m=c(1);b.applyOperation=m.applyOperation,b.applyPatch=m.applyPatch,b.applyReducer=m.applyReducer,b.getValueByPointer=m.getValueByPointer,b.validate=m.validate,b.validator=m.validator;var n=c(0);b.JsonPatchError=n.PatchError,b.deepClone=n._deepClone,b.escapePathComponent=n.escapePathComponent,b.unescapePathComponent=n.unescapePathComponent;var o=new WeakMap,p=function(){return function(a){this.observers=new Map,this.obj=a}}(),q=function(){return function(a,b){this.callback=a,this.observer=b}}();b.unobserve=function(a,b){b.unobserve()},b.observe=function(a,b){var c,h=d(a);if(!h)h=new p(a),o.set(a,h);else{var i=e(h,b);c=i&&i.observer}if(c)return c;if(c={},h.value=k._deepClone(a),b){c.callback=b,c.next=null;var j=function(){g(c)},l=function(){clearTimeout(c.next),c.next=setTimeout(j)};'undefined'!=typeof window&&(window.addEventListener?(window.addEventListener('mouseup',l),window.addEventListener('keyup',l),window.addEventListener('mousedown',l),window.addEventListener('keydown',l),window.addEventListener('change',l)):(document.documentElement.attachEvent('onmouseup',l),document.documentElement.attachEvent('onkeyup',l),document.documentElement.attachEvent('onmousedown',l),document.documentElement.attachEvent('onkeydown',l),document.documentElement.attachEvent('onchange',l)))}return c.patches=[],c.object=a,c.unobserve=function(){g(c),clearTimeout(c.next),f(h,c),'undefined'!=typeof window&&(window.removeEventListener?(window.removeEventListener('mouseup',l),window.removeEventListener('keyup',l),window.removeEventListener('mousedown',l),window.removeEventListener('keydown',l)):(document.documentElement.detachEvent('onmouseup',l),document.documentElement.detachEvent('onkeyup',l),document.documentElement.detachEvent('onmousedown',l),document.documentElement.detachEvent('onkeydown',l)))},h.observers.set(b,new q(b,c)),c},b.generate=g,b.compare=function(a,b){var c=[];return h(a,b,c,''),c}},function(a,b){function c(a){return'[object Arguments]'==Object.prototype.toString.call(a)}function d(a){return a&&'object'==typeof a&&'number'==typeof a.length&&Object.prototype.hasOwnProperty.call(a,'callee')&&!Object.prototype.propertyIsEnumerable.call(a,'callee')||!1}var e='[object Arguments]'==function(){return Object.prototype.toString.call(arguments)}();b=a.exports=e?c:d,b.supported=c;b.unsupported=d},function(a,b){function c(a){var b=[];for(var c in a)b.push(c);return b}b=a.exports='function'==typeof Object.keys?Object.keys:c,b.shim=c}]);
\ No newline at end of file
+var jsonpatch=function(a){function b(d){if(c[d])return c[d].exports;var e=c[d]={i:d,l:!1,exports:{}};return a[d].call(e.exports,e,e.exports,b),e.l=!0,e.exports}var c={};return b.m=a,b.c=c,b.i=function(a){return a},b.d=function(a,c,d){b.o(a,c)||Object.defineProperty(a,c,{configurable:!1,enumerable:!0,get:d})},b.n=function(a){var c=a&&a.__esModule?function(){return a['default']}:function(){return a};return b.d(c,'a',c),c},b.o=function(a,b){return Object.prototype.hasOwnProperty.call(a,b)},b.p='',b(b.s=3)}([function(a,b){function c(a,b){return i.call(a,b)}function d(a){if(Array.isArray(a)){for(var b=Array(a.length),d=0;d<b.length;d++)b[d]=''+d;return b}if(Object.keys)return Object.keys(a);var b=[];for(var e in a)c(a,e)&&b.push(e);return b}function e(a){return-1===a.indexOf('/')&&-1===a.indexOf('~')?a:a.replace(/~/g,'~0').replace(/\//g,'~1')}function f(a,b){var d;for(var g in a)if(c(a,g)){if(a[g]===b)return e(g)+'/';if('object'==typeof a[g]&&(d=f(a[g],b),''!=d))return e(g)+'/'+d}return''}function g(a){if(a===void 0)return!0;if(a)if(Array.isArray(a)){for(var b=0,c=a.length;b<c;b++)if(g(a[b]))return!0;}else if('object'==typeof a)for(var e=d(a),f=e.length,b=0;b<f;b++)if(g(a[e[b]]))return!0;return!1}var h=this&&this.__extends||function(a,c){function b(){this.constructor=a}for(var d in c)c.hasOwnProperty(d)&&(a[d]=c[d]);a.prototype=null===c?Object.create(c):(b.prototype=c.prototype,new b)},i=Object.prototype.hasOwnProperty;b.hasOwnProperty=c,b._objectKeys=d;b._deepClone=function(a){switch(typeof a){case'object':return JSON.parse(JSON.stringify(a));case'undefined':return null;default:return a;}},b.isInteger=function(a){for(var b,c=0,d=a.length;c<d;){if(b=a.charCodeAt(c),48<=b&&57>=b){c++;continue}return!1}return!0},b.escapePathComponent=e,b.unescapePathComponent=function(a){return a.replace(/~1/g,'/').replace(/~0/g,'~')},b._getPathRecursive=f,b.getPath=function(a,b){if(a===b)return'/';var c=f(a,b);if(''===c)throw new Error('Object not found in root');return'/'+c},b.hasUndefined=g;var j=function(a){function b(b,c,d,e,f){a.call(this,b),this.message=b,this.name=c,this.index=d,this.operation=e,this.tree=f}return h(b,a),b}(Error);b.PatchError=j},function(a,b,c){function d(a,b){if(''==b)return a;var c={op:'_get',path:b};return e(a,c),c.value}function e(a,c,e,f,h){if(void 0===e&&(e=!1),void 0===f&&(f=!0),void 0===h&&(h=!0),e&&('function'==typeof e?e(c,0,a,c.path):g(c,0)),''===c.path){var i={newDocument:a};if('add'===c.op)return i.newDocument=c.value,i;if('replace'===c.op)return i.newDocument=c.value,i.removed=a,i;if('move'===c.op||'copy'===c.op)return i.newDocument=d(a,c.from),'move'===c.op&&(i.removed=a),i;if('test'===c.op){if(i.test=k(a,c.value),!1===i.test)throw new b.JsonPatchError('Test operation failed','TEST_OPERATION_FAILED',0,c,a);return i.newDocument=a,i}if('remove'===c.op)return i.removed=a,i.newDocument=null,i;if('_get'===c.op)return c.value=a,i;if(e)throw new b.JsonPatchError('Operation `op` property is not one of operations defined in RFC-6902','OPERATION_OP_INVALID',0,c,a);else return i}else{f||(a=l._deepClone(a));var j,o,p,q=c.path||'',r=q.split('/'),s=a,u=1,t=r.length;for(p='function'==typeof e?e:g;;){if(o=r[u],h&&'__proto__'==o)throw new TypeError('JSON-Patch: modifying `__proto_` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');if(e&&void 0==j&&(void 0===s[o]?j=r.slice(0,u).join('/'):u==t-1&&(j=c.path),void 0!==j&&p(c,0,a,j)),u++,Array.isArray(s)){if('-'===o)o=s.length;else if(e&&!l.isInteger(o))throw new b.JsonPatchError('Expected an unsigned base-10 integer value, making the new referenced value the array element with the zero-based index','OPERATION_PATH_ILLEGAL_ARRAY_INDEX',0,c.path,c);else l.isInteger(o)&&(o=~~o);if(u>=t){if(e&&'add'===c.op&&o>s.length)throw new b.JsonPatchError('The specified index MUST NOT be greater than the number of elements in the array','OPERATION_VALUE_OUT_OF_BOUNDS',0,c.path,c);var i=n[c.op].call(c,s,o,a);if(!1===i.test)throw new b.JsonPatchError('Test operation failed','TEST_OPERATION_FAILED',0,c,a);return i}}else if(o&&-1!=o.indexOf('~')&&(o=l.unescapePathComponent(o)),u>=t){var i=m[c.op].call(c,s,o,a);if(!1===i.test)throw new b.JsonPatchError('Test operation failed','TEST_OPERATION_FAILED',0,c,a);return i}s=s[o]}}}function f(a,c,d,f,g){if(void 0===f&&(f=!0),void 0===g&&(g=!0),d&&!Array.isArray(c))throw new b.JsonPatchError('Patch sequence must be an array','SEQUENCE_NOT_AN_ARRAY');f||(a=l._deepClone(a));for(var h=Array(c.length),j=0,i=c.length;j<i;j++)h[j]=e(a,c[j],d,!0,g),a=h[j].newDocument;return h.newDocument=a,h}function g(a,c,d,e){if('object'!=typeof a||null===a||Array.isArray(a))throw new b.JsonPatchError('Operation is not an object','OPERATION_NOT_AN_OBJECT',c,a,d);else if(!m[a.op])throw new b.JsonPatchError('Operation `op` property is not one of operations defined in RFC-6902','OPERATION_OP_INVALID',c,a,d);else if('string'!=typeof a.path)throw new b.JsonPatchError('Operation `path` property is not a string','OPERATION_PATH_INVALID',c,a,d);else if(0!==a.path.indexOf('/')&&0<a.path.length)throw new b.JsonPatchError('Operation `path` property must start with "/"','OPERATION_PATH_INVALID',c,a,d);else if(('move'===a.op||'copy'===a.op)&&'string'!=typeof a.from)throw new b.JsonPatchError('Operation `from` property is not present (applicable in `move` and `copy` operations)','OPERATION_FROM_REQUIRED',c,a,d);else if(('add'===a.op||'replace'===a.op||'test'===a.op)&&a.value===void 0)throw new b.JsonPatchError('Operation `value` property is not present (applicable in `add`, `replace` and `test` operations)','OPERATION_VALUE_REQUIRED',c,a,d);else if(('add'===a.op||'replace'===a.op||'test'===a.op)&&l.hasUndefined(a.value))throw new b.JsonPatchError('Operation `value` property is not present (applicable in `add`, `replace` and `test` operations)','OPERATION_VALUE_CANNOT_CONTAIN_UNDEFINED',c,a,d);else if(d)if('add'==a.op){var f=a.path.split('/').length,g=e.split('/').length;if(f!==g+1&&f!==g)throw new b.JsonPatchError('Cannot perform an `add` operation at the desired path','OPERATION_PATH_CANNOT_ADD',c,a,d)}else if('replace'===a.op||'remove'===a.op||'_get'===a.op){if(a.path!==e)throw new b.JsonPatchError('Cannot perform the operation at a path that does not exist','OPERATION_PATH_UNRESOLVABLE',c,a,d);}else if('move'===a.op||'copy'===a.op){var i={op:'_get',path:a.from,value:void 0},j=h([i],d);if(j&&'OPERATION_PATH_UNRESOLVABLE'===j.name)throw new b.JsonPatchError('Cannot perform the operation from a path that does not exist','OPERATION_FROM_UNRESOLVABLE',c,a,d)}}function h(a,c,d){try{if(!Array.isArray(a))throw new b.JsonPatchError('Patch sequence must be an array','SEQUENCE_NOT_AN_ARRAY');if(c)f(l._deepClone(c),l._deepClone(a),d||!0);else{d=d||g;for(var e=0;e<a.length;e++)d(a[e],e,c,void 0)}}catch(a){if(a instanceof b.JsonPatchError)return a;throw a}}var i={strict:!0},j=c(2),k=function(c,a){return j(c,a,i)},l=c(0);b.JsonPatchError=l.PatchError,b.deepClone=l._deepClone;var m={add:function(a,b,c){return a[b]=this.value,{newDocument:c}},remove:function(a,b,c){var d=a[b];return delete a[b],{newDocument:c,removed:d}},replace:function(a,b,c){var d=a[b];return a[b]=this.value,{newDocument:c,removed:d}},move:function(a,b,c){var f=d(c,this.path);f&&(f=l._deepClone(f));var g=e(c,{op:'remove',path:this.from}).removed;return e(c,{op:'add',path:this.path,value:g}),{newDocument:c,removed:f}},copy:function(a,b,c){var f=d(c,this.from);return e(c,{op:'add',path:this.path,value:l._deepClone(f)}),{newDocument:c}},test:function(a,b,c){return{newDocument:c,test:k(a[b],this.value)}},_get:function(a,b,c){return this.value=a[b],{newDocument:c}}},n={add:function(a,b,c){return l.isInteger(b)?a.splice(b,0,this.value):a[b]=this.value,{newDocument:c,index:b}},remove:function(a,b,c){var d=a.splice(b,1);return{newDocument:c,removed:d[0]}},replace:function(a,b,c){var d=a[b];return a[b]=this.value,{newDocument:c,removed:d}},move:m.move,copy:m.copy,test:m.test,_get:m._get};b.getValueByPointer=d,b.applyOperation=e,b.applyPatch=f,b.applyReducer=function(a,c){var d=e(a,c);if(!1===d.test)throw new b.JsonPatchError('Test operation failed','TEST_OPERATION_FAILED',0,c,a);return d.newDocument},b.validator=g,b.validate=h},function(a,b,c){function d(a){return null===a||a===void 0}function e(a){return a&&'object'==typeof a&&'number'==typeof a.length&&('function'!=typeof a.copy||'function'!=typeof a.slice?!1:0<a.length&&'number'!=typeof a[0]?!1:!0)}function f(c,f,l){var m,i;if(d(c)||d(f))return!1;if(c.prototype!==f.prototype)return!1;if(j(c))return!!j(f)&&(c=g.call(c),f=g.call(f),k(c,f,l));if(e(c)){if(!e(f))return!1;if(c.length!==f.length)return!1;for(m=0;m<c.length;m++)if(c[m]!==f[m])return!1;return!0}try{var n=h(c),o=h(f)}catch(a){return!1}if(n.length!=o.length)return!1;for(n.sort(),o.sort(),m=n.length-1;0<=m;m--)if(n[m]!=o[m])return!1;for(m=n.length-1;0<=m;m--)if(i=n[m],!k(c[i],f[i],l))return!1;return typeof c==typeof f}var g=Array.prototype.slice,h=c(5),j=c(4),k=a.exports=function(a,b,c){return c||(c={}),a===b||(a instanceof Date&&b instanceof Date?a.getTime()===b.getTime():a&&b&&('object'==typeof a||'object'==typeof b)?f(a,b,c):c.strict?a===b:a==b)}},function(a,b,c){function d(a){return o.get(a)}function e(a,b){return a.observers.get(b)}function f(a,b){a.observers.delete(b.callback)}function g(a){var b=o.get(a.object);h(b.value,a.object,a.patches,''),a.patches.length&&l.applyPatch(b.value,a.patches);var c=a.patches;return 0<c.length&&(a.patches=[],a.callback&&a.callback(c)),c}function h(a,b,c,d){if(b!==a){'function'==typeof b.toJSON&&(b=b.toJSON());for(var e=k._objectKeys(b),f=k._objectKeys(a),g=!1,i=!1,j=f.length-1;0<=j;j--){var l=f[j],m=a[l];if(k.hasOwnProperty(b,l)&&(void 0!==b[l]||void 0===m||!1!==Array.isArray(b))){var n=b[l];'object'==typeof m&&null!=m&&'object'==typeof n&&null!=n?h(m,n,c,d+'/'+k.escapePathComponent(l)):m!==n&&(g=!0,c.push({op:'replace',path:d+'/'+k.escapePathComponent(l),value:k._deepClone(n)}))}else c.push({op:'remove',path:d+'/'+k.escapePathComponent(l)}),i=!0}if(i||e.length!=f.length)for(var l,j=0;j<e.length;j++)l=e[j],k.hasOwnProperty(a,l)||void 0===b[l]||c.push({op:'add',path:d+'/'+k.escapePathComponent(l),value:k._deepClone(b[l])})}}var i={strict:!0},j=c(2),k=c(0),l=c(1),m=c(1);b.applyOperation=m.applyOperation,b.applyPatch=m.applyPatch,b.applyReducer=m.applyReducer,b.getValueByPointer=m.getValueByPointer,b.validate=m.validate,b.validator=m.validator;var n=c(0);b.JsonPatchError=n.PatchError,b.deepClone=n._deepClone,b.escapePathComponent=n.escapePathComponent,b.unescapePathComponent=n.unescapePathComponent;var o=new WeakMap,p=function(){return function(a){this.observers=new Map,this.obj=a}}(),q=function(){return function(a,b){this.callback=a,this.observer=b}}();b.unobserve=function(a,b){b.unobserve()},b.observe=function(a,b){var c,h=d(a);if(!h)h=new p(a),o.set(a,h);else{var i=e(h,b);c=i&&i.observer}if(c)return c;if(c={},h.value=k._deepClone(a),b){c.callback=b,c.next=null;var j=function(){g(c)},l=function(){clearTimeout(c.next),c.next=setTimeout(j)};'undefined'!=typeof window&&(window.addEventListener?(window.addEventListener('mouseup',l),window.addEventListener('keyup',l),window.addEventListener('mousedown',l),window.addEventListener('keydown',l),window.addEventListener('change',l)):(document.documentElement.attachEvent('onmouseup',l),document.documentElement.attachEvent('onkeyup',l),document.documentElement.attachEvent('onmousedown',l),document.documentElement.attachEvent('onkeydown',l),document.documentElement.attachEvent('onchange',l)))}return c.patches=[],c.object=a,c.unobserve=function(){g(c),clearTimeout(c.next),f(h,c),'undefined'!=typeof window&&(window.removeEventListener?(window.removeEventListener('mouseup',l),window.removeEventListener('keyup',l),window.removeEventListener('mousedown',l),window.removeEventListener('keydown',l)):(document.documentElement.detachEvent('onmouseup',l),document.documentElement.detachEvent('onkeyup',l),document.documentElement.detachEvent('onmousedown',l),document.documentElement.detachEvent('onkeydown',l)))},h.observers.set(b,new q(b,c)),c},b.generate=g,b.compare=function(a,b){var c=[];return h(a,b,c,''),c}},function(a,b){function c(a){return'[object Arguments]'==Object.prototype.toString.call(a)}function d(a){return a&&'object'==typeof a&&'number'==typeof a.length&&Object.prototype.hasOwnProperty.call(a,'callee')&&!Object.prototype.propertyIsEnumerable.call(a,'callee')||!1}var e='[object Arguments]'==function(){return Object.prototype.toString.call(arguments)}();b=a.exports=e?c:d,b.supported=c;b.unsupported=d},function(a,b){function c(a){var b=[];for(var c in a)b.push(c);return b}b=a.exports='function'==typeof Object.keys?Object.keys:c,b.shim=c}]);
\ No newline at end of file
diff --git a/src/core.ts b/src/core.ts
index c6a5b8db..147c2d8c 100644
--- a/src/core.ts
+++ b/src/core.ts
@@ -193,9 +193,10 @@ export function getValueByPointer(document: any, pointer: string): any {
  * @param operation The operation to apply
  * @param validateOperation `false` is without validation, `true` to use default jsonpatch's validation, or you can pass a `validateOperation` callback to be used for validation.
  * @param mutateDocument Whether to mutate the original document or clone it before applying
+ * @param banPrototypeModifications Whether to ban modifications to `__proto__`, defaults to `true`.
  * @return `{newDocument, result}` after the operation
  */
-export function applyOperation<T>(document: T, operation: Operation, validateOperation: boolean | Validator<T> = false, mutateDocument: boolean = true): OperationResult<T> {
+export function applyOperation<T>(document: T, operation: Operation, validateOperation: boolean | Validator<T> = false, mutateDocument: boolean = true, banPrototypeModifications: boolean = true): OperationResult<T> {
   if (validateOperation) {
     if (typeof validateOperation == 'function') {
       validateOperation(operation, 0, document, operation.path);
@@ -264,6 +265,10 @@ export function applyOperation<T>(document: T, operation: Operation, validateOpe
     while (true) {
       key = keys[t];
 
+      if(banPrototypeModifications && key == '__proto__') {
+        throw new TypeError('JSON-Patch: modifying `__proto_` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README');
+      }
+
       if (validateOperation) {
         if (existingPathFragment === undefined) {
           if (obj[key] === undefined) {
@@ -329,9 +334,10 @@ export function applyOperation<T>(document: T, operation: Operation, validateOpe
  * @param patch The patch to apply
  * @param validateOperation `false` is without validation, `true` to use default jsonpatch's validation, or you can pass a `validateOperation` callback to be used for validation.
  * @param mutateDocument Whether to mutate the original document or clone it before applying
+ * @param banPrototypeModifications Whether to ban modifications to `__proto__`, defaults to `true`.
  * @return An array of `{newDocument, result}` after the patch
  */
-export function applyPatch<T>(document: T, patch: Operation[], validateOperation?: boolean | Validator<T>, mutateDocument: boolean = true): PatchResult<T> {
+export function applyPatch<T>(document: T, patch: Operation[], validateOperation?: boolean | Validator<T>, mutateDocument: boolean = true, banPrototypeModifications: boolean = true): PatchResult<T> {
   if(validateOperation) {
     if(!Array.isArray(patch)) {
       throw new JsonPatchError('Patch sequence must be an array', 'SEQUENCE_NOT_AN_ARRAY');
@@ -343,7 +349,7 @@ export function applyPatch<T>(document: T, patch: Operation[], validateOperation
   const results = new Array(patch.length) as PatchResult<T>;
 
   for (let i = 0, length = patch.length; i < length; i++) {
-    results[i] = applyOperation(document, patch[i], validateOperation);
+    results[i] = applyOperation(document, patch[i], validateOperation, true, banPrototypeModifications);
     document = results[i].newDocument; // in case root was replaced
   }
   results.newDocument = document;
diff --git a/test/spec/coreSpec.js b/test/spec/coreSpec.js
index dcabb0c9..369005eb 100644
--- a/test/spec/coreSpec.js
+++ b/test/spec/coreSpec.js
@@ -9,40 +9,44 @@ if (typeof _ === 'undefined') {
 describe('jsonpatch.getValueByPointer', function() {
   it('should retrieve values by JSON pointer from tree - deep object', function() {
     var obj = {
-      person: {name: 'Marilyn'}
+      person: { name: 'Marilyn' }
     };
-    var name = jsonpatch.getValueByPointer(obj, '/person/name')
+    var name = jsonpatch.getValueByPointer(obj, '/person/name');
     expect(name).toEqual('Marilyn');
   });
 
   it('should retrieve values by JSON pointer from tree - deep array', function() {
     var obj = {
-      people: [{name: 'Marilyn'}, {name: 'Monroe'}]
+      people: [{ name: 'Marilyn' }, { name: 'Monroe' }]
     };
-    var name = jsonpatch.getValueByPointer(obj, '/people/1/name')
+    var name = jsonpatch.getValueByPointer(obj, '/people/1/name');
     expect(name).toEqual('Monroe');
   });
 
   it('should retrieve values by JSON pointer from tree - root object', function() {
     var obj = {
-      people: [{name: 'Marilyn'}, {name: 'Monroe'}]
+      people: [{ name: 'Marilyn' }, { name: 'Monroe' }]
     };
     var retrievedObject = jsonpatch.getValueByPointer(obj, '');
 
     expect(retrievedObject).toEqual({
-      people: [{name: 'Marilyn'}, {name: 'Monroe'}]
+      people: [{ name: 'Marilyn' }, { name: 'Monroe' }]
     });
   });
 
   it('should retrieve values by JSON pointer from tree - root array', function() {
-    var obj = [{
-      people: [{name: 'Marilyn'}, {name: 'Monroe'}]
-    }];
+    var obj = [
+      {
+        people: [{ name: 'Marilyn' }, { name: 'Monroe' }]
+      }
+    ];
     var retrievedObject = jsonpatch.getValueByPointer(obj, '');
 
-    expect(retrievedObject).toEqual([{
-      people: [{name: 'Marilyn'}, {name: 'Monroe'}]
-    }]);
+    expect(retrievedObject).toEqual([
+      {
+        people: [{ name: 'Marilyn' }, { name: 'Monroe' }]
+      }
+    ]);
   });
 });
 describe('jsonpatch.applyReducer - using with Array#reduce', function() {
@@ -62,26 +66,30 @@ describe('jsonpatch.applyReducer - using with Array#reduce', function() {
   });
 });
 describe('root replacement with applyOperation', function() {
-  describe('_get operation', function () {
+  describe('_get operation', function() {
     it('should get root value', function() {
-      var obj = [{
-        people: [{name: 'Marilyn'}, {name: 'Monroe'}]
-      }];
+      var obj = [
+        {
+          people: [{ name: 'Marilyn' }, { name: 'Monroe' }]
+        }
+      ];
 
-      var patch = {op: '_get', path: ''};
+      var patch = { op: '_get', path: '' };
 
       jsonpatch.applyOperation(obj, patch);
 
-      expect(patch.value).toEqual([{
-        people: [{name: 'Marilyn'}, {name: 'Monroe'}]
-      }]);
+      expect(patch.value).toEqual([
+        {
+          people: [{ name: 'Marilyn' }, { name: 'Monroe' }]
+        }
+      ]);
     });
     it('should get deep value', function() {
       var obj = {
-        people: [{name: 'Marilyn'}, {name: 'Monroe'}]
+        people: [{ name: 'Marilyn' }, { name: 'Monroe' }]
       };
 
-      var patch = {op: '_get', path: '/people/1/name'};
+      var patch = { op: '_get', path: '/people/1/name' };
 
       jsonpatch.applyOperation(obj, patch);
 
@@ -179,7 +187,7 @@ describe('root replacement with applyOperation', function() {
         }
       ]);
     });
-     it('should `add` an array prop', function() {
+    it('should `add` an array prop', function() {
       var obj = [];
 
       var newObj = jsonpatch.applyOperation(obj, {
@@ -1508,25 +1516,23 @@ describe('core', function() {
   it('should apply copy, without leaving cross-reference between nodes', function() {
     var obj = {};
     var patchset = [
-      {op: 'add', path: '/foo', value: []},
-      {op: 'add', path: '/foo/-', value: 1},
-      {op: 'copy', from: '/foo', path: '/bar'},
-      {op: 'add', path: '/bar/-', value: 2}
+      { op: 'add', path: '/foo', value: [] },
+      { op: 'add', path: '/foo/-', value: 1 },
+      { op: 'copy', from: '/foo', path: '/bar' },
+      { op: 'add', path: '/bar/-', value: 2 }
     ];
 
     jsonpatch.applyPatch(obj, patchset);
 
     expect(obj).toEqual({
-      "foo": [1],
-      "bar": [1, 2],
+      foo: [1],
+      bar: [1, 2]
     });
   });
 
-  it('should use value object as a reference', function () {
+  it('should use value object as a reference', function() {
     var obj1 = {};
-    var patch = [
-      {op: 'add', path: '/foo', value: []}
-    ];
+    var patch = [{ op: 'add', path: '/foo', value: [] }];
 
     jsonpatch.applyPatch(obj1, patch, false);
 
@@ -1910,5 +1916,56 @@ describe('undefined - JS to JSON projection / JSON to JS extension', function()
         bar: null
       });
     });
+
+    it(`should allow __proto__ modifications when the flag is set`, function() {
+      function SomeClass() {
+        this.foo = 'bar';
+      }
+
+      let doc = new SomeClass();
+      let otherDoc = new SomeClass();
+
+      const patch = [
+        { op: 'replace', path: `/__proto__/x`, value: 'polluted' }
+      ];
+
+      jsonpatch.applyPatch(doc, patch, false, true, false);
+
+      expect(otherDoc.x).toEqual('polluted');
+    });
+
+    it(`should not allow __proto__ modifications without setting the flag and should throw an error`, function() {
+      const expectedErrorMessage =
+        'JSON-Patch: modifying `__proto_` prop is banned for security reasons, if this was on purpose, please set `banPrototypeModifications` flag false and pass it to this function. More info in fast-json-patch README';
+
+      function SomeClass() {
+        this.foo = 'bar';
+      }
+
+      let doc = new SomeClass();
+      let otherDoc = new SomeClass();
+
+      const patch = [
+        { op: 'replace', path: `/__proto__/x`, value: 'polluted' }
+      ];
+
+      try {
+        jsonpatch.applyPatch(doc, patch);
+      } catch (e) {
+        expect(e.message).toEqual(expectedErrorMessage);
+      }
+
+      expect(otherDoc.x).toEqual(undefined);
+      expect(doc.x).toEqual(undefined);
+
+      let arr = [];
+
+      try {
+        jsonpatch.applyPatch(arr, patch);
+      } catch (e) {
+        expect(e.message).toEqual(expectedErrorMessage);
+      }
+      expect(arr.x).toEqual(undefined);
+    });
   });
 });