diff --git a/packages/datadog-instrumentations/src/graphql.js b/packages/datadog-instrumentations/src/graphql.js
index 52562c8316c..025ed40ac27 100644
--- a/packages/datadog-instrumentations/src/graphql.js
+++ b/packages/datadog-instrumentations/src/graphql.js
@@ -171,7 +171,7 @@ function wrapExecute (execute) {
         args,
         docSource: documentSources.get(document),
         source,
-        fields: {},
+        fields: Object.create(null),
         abortController: new AbortController(),
       }
 
@@ -260,7 +260,9 @@ function pathToArray (path) {
   const flattened = []
   let curr = path
   while (curr) {
-    flattened.push(curr.key)
+    if (typeof curr.key === 'string' || typeof curr.key === 'number') {
+      flattened.push(curr.key)
+    }
     curr = curr.prev
   }
   return flattened.reverse()
diff --git a/packages/datadog-plugin-graphql/test/index.spec.js b/packages/datadog-plugin-graphql/test/index.spec.js
index 73385f89f7d..d481dd25dc6 100644
--- a/packages/datadog-plugin-graphql/test/index.spec.js
+++ b/packages/datadog-plugin-graphql/test/index.spec.js
@@ -338,6 +338,20 @@ describe('Plugin', () => {
           }
         )
 
+        it('should not crash on prototype pollution attempt', done => {
+          agent
+            .assertSomeTraces(() => {})
+            .catch(done)
+          graphql.graphql({ schema, source: '{ __proto__: hello }' })
+            .then((result) => {
+              assert.ok(!result.errors || result.errors.length === 0)
+              // eslint-disable-next-line no-proto
+              assert.strictEqual(result.data.__proto__, null)
+              done()
+            })
+            .catch(done)
+        })
+
         it('should instrument parsing', done => {
           const source = 'query MyQuery { hello(name: "world") }'
           const variableValues = { who: 'world' }