diff --git a/index.js b/index.js
index 115a37c..b051efd 100644
--- a/index.js
+++ b/index.js
@@ -40,6 +40,22 @@ var decode = function(str) {
   }
 }
 
+/**
+ * Ensure any potential prototype pollution can be sanitized.
+ *
+ * @param {String} str
+ * @return {String}
+ * @api public
+ */
+
+var sanitizeObjKey = function(str) {
+  if (str && ["__proto__", "constructor", "prototype"].indexOf(str.toLowerCase()) > -1) {
+    return str.toUpperCase()
+  }
+
+  return str;
+}
+
 /**
  * Parse the given query `str`.
  *
@@ -59,16 +75,17 @@ exports.parse = function(str){
   var pairs = str.split('&');
   for (var i = 0; i < pairs.length; i++) {
     var parts = pairs[i].split('=');
-    var key = decode(parts[0]);
+    var key = sanitizeObjKey(decode(parts[0]));
     var m;
 
     if (m = pattern.exec(key)) {
-      obj[m[1]] = obj[m[1]] || [];
-      obj[m[1]][m[2]] = decode(parts[1]);
+      var objectKey = sanitizeObjKey(m[1])
+      obj[objectKey] = obj[objectKey] || [];
+      obj[objectKey][m[2]] = decode(parts[1]);
       continue;
     }
 
-    obj[parts[0]] = null == parts[1]
+    obj[key] = null == parts[1]
       ? ''
       : decode(parts[1]);
   }