diff --git a/index.js b/index.js
index f9d0b2c..9798e90 100644
--- a/index.js
+++ b/index.js
@@ -136,13 +136,19 @@ parse.expandKeys = config => {
     let m = /(\S+) "(.*)"/.exec(key);
     if (!m) continue;
     let prop = m[1];
+    let subProp = m[2];
+    if (isForbiddenProp(prop) || isForbiddenProp(subProp)) continue;
     config[prop] = config[prop] || {};
-    config[prop][m[2]] = config[key];
+    config[prop][subProp] = config[key];
     delete config[key];
   }
   return config;
 };
 
+function isForbiddenProp(prop) {
+  return prop === '__proto__' || prop === 'constructor' || prop === 'prototype';
+}
+
 function parseIni(str, options) {
   let opts = Object.assign({}, options);
 
diff --git a/test/test.js b/test/test.js
index 7873cd0..81a97f9 100644
--- a/test/test.js
+++ b/test/test.js
@@ -102,6 +102,14 @@ describe('parse-git-config', function() {
         }
       });
     });
+
+    it('should prevent prototype pollution', function() {
+      const config = {};
+      const key = '__proto__ "polluted"';
+      config[key] = true;
+      parse.expandKeys(config);
+      assert.equal({}.polluted, undefined);
+    })
   });
 
   describe('resolve', function() {