diff --git a/src/merge.js b/src/merge.js
index d428b14..49f467b 100644
--- a/src/merge.js
+++ b/src/merge.js
@@ -6,6 +6,7 @@ export function merge(a, b, k) {
 			}
 		} else {
 			for (k in b) {
+				if (k === '__proto__' || k === 'constructor' || k === 'prototype') break;
 				a[k] = merge(a[k], b[k]);
 			}
 		}
diff --git a/test/suites/pollution.js b/test/suites/pollution.js
index 2bca8dd..bf47756 100644
--- a/test/suites/pollution.js
+++ b/test/suites/pollution.js
@@ -85,5 +85,15 @@ export default function (dset) {
 		});
 	});
 
+	// Test for CVE-2022-25645 - CWE-1321 
+	pollution('should ignore JSON.parse crafted object with "__proto__" key', () => {
+		let a = { b: { c: 1 } };
+		assert.is(a.polluted, undefined);
+		assert.is({}.polluted, undefined);
+		dset(a, "b", JSON.parse('{"__proto__":{"polluted":"Yes!"}}'));
+		assert.is(a.polluted, undefined);
+		assert.is({}.polluted, undefined);
+	});
+
 	pollution.run();
 }