diff --git a/__tests__/parseQuery.spec.ts b/__tests__/parseQuery.spec.ts
index b16c86245..7c849bbdf 100644
--- a/__tests__/parseQuery.spec.ts
+++ b/__tests__/parseQuery.spec.ts
@@ -85,4 +85,15 @@ describe('parseQuery', () => {
 
     expect('decoding "%"').toHaveBeenWarnedTimes(1)
   })
+
+  it('ignores __proto__', () => {
+    const query = parseQuery('__proto__=1')
+    expect(query.__proto__).toEqual(Object.prototype)
+    expect(query.constructor).toEqual(Object)
+  })
+
+  it('ignores build-in methods', () => {
+    const query = parseQuery('toString=1')
+    expect(query.toString).toEqual(Object.prototype.toString)
+  })
 })
diff --git a/src/query.ts b/src/query.ts
index f13c17045..c936c7a27 100644
--- a/src/query.ts
+++ b/src/query.ts
@@ -55,6 +55,12 @@ export function parseQuery(search: string): LocationQuery {
     // allow the = character
     let eqPos = searchParam.indexOf('=')
     let key = decode(eqPos < 0 ? searchParam : searchParam.slice(0, eqPos))
+
+    // this ignores ?__proto__&toString
+    if (Object.prototype.hasOwnProperty(key)) {
+      continue
+    }
+
     let value = eqPos < 0 ? null : decode(searchParam.slice(eqPos + 1))
 
     if (key in query) {