diff --git a/lib/parse.js b/lib/parse.js
index 731161e..807c4ae 100644
--- a/lib/parse.js
+++ b/lib/parse.js
@@ -153,6 +153,12 @@ function parsePlistXML (node) {
     if (isEmptyNode(node)) {
       return '';
     }
+
+    invariant(
+      node.childNodes[0].nodeValue !== '__proto__',
+      '__proto__ keys can lead to prototype pollution. More details on CVE-2022-22912'
+    );
+
     return node.childNodes[0].nodeValue;
   } else if (node.nodeName === 'string') {
     res = '';
diff --git a/test/parse.js b/test/parse.js
index 0dd10ba..4e46e40 100644
--- a/test/parse.js
+++ b/test/parse.js
@@ -187,6 +187,18 @@ U=</data>
       );
       assert.deepEqual(parsed, { a: { a1: true } });
     });
+
+    /* Test to protect against CVE-2022-22912 */
+    it('should throw if key value is __proto__', function () {
+      assert.throws(function () {
+        parseFixture('<dict><key>__proto__</key><dict><key>length</key><string>polluted</string></dict></dict>');
+      });
+
+      // adding backslash should still be protected.
+      assert.throws(function () {
+        parseFixture('<dict><key>_\_proto_\_</key><dict><key>length</key><string>polluted</string></dict></dict>');
+      });
+    });
   });
 
   describe('integration', function () {