diff --git a/packages/playwright-core/src/utils/isomorphic/utilityScriptSerializers.ts b/packages/playwright-core/src/utils/isomorphic/utilityScriptSerializers.ts
index 1273453959..0a65978032 100644
--- a/packages/playwright-core/src/utils/isomorphic/utilityScriptSerializers.ts
+++ b/packages/playwright-core/src/utils/isomorphic/utilityScriptSerializers.ts
@@ -156,8 +156,11 @@ export function parseEvaluationResultValue(value: SerializedValue, handles: any[
     if ('o' in value) {
       const result: any = {};
       refs.set(value.id, result);
-      for (const { k, v } of value.o)
+      for (const { k, v } of value.o) {
+        if (k === '__proto__')
+          continue;
         result[k] = parseEvaluationResultValue(v, handles, refs);
+      }
       return result;
     }
     if ('h' in value)
diff --git a/tests/page/page-evaluate.spec.ts b/tests/page/page-evaluate.spec.ts
index 11e0d5dbce..2b82684fc0 100644
--- a/tests/page/page-evaluate.spec.ts
+++ b/tests/page/page-evaluate.spec.ts
@@ -881,3 +881,12 @@ it('should work with deleted Map', {
   await page.goto(server.PREFIX + '/page');
   expect(await page.evaluate(x => ({ value: 2 * x }), 17)).toEqual({ value: 34 });
 });
+
+it('should ignore dangerous object keys', async ({ page }) => {
+  const input = {
+    __proto__: { polluted: true },
+    safeKey: 'safeValue'
+  };
+  const result = await page.evaluate(arg => arg, input);
+  expect(result).toEqual({ safeKey: 'safeValue' });
+});