Threat Advisory

parse-nested-form-data Vulnerability Incorrect Key Filtering Causes Prototype Pollution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-45302 with a CVSS score of 8.2 is a prototype pollution vulnerability in npm’s parse-nested-form-data library. The vulnerability occurs when the parseFormData function walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys, allowing an attacker to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. An attacker can exploit this vulnerability by passing attacker-controlled FormData to parseFormData, typically in an HTTP server processing form submissions, enabling mutation of Object.prototype through a single crafted field name. This can result in corrupted application state, altered control flow in code that relies on ambient object properties, and denial of service, with the impact varying depending on the host application. No special prerequisites are required for exploitation, making it a high-severity vulnerability that requires immediate attention.[/subscribe_to_unlock_form]


EXECUTIVE SUMMARY:

CVE-2026-45302 with a CVSS score of 8.2 is a prototype pollution vulnerability in npm’s parse-nested-form-data library. The vulnerability occurs when the parseFormData function walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys, allowing an attacker to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. An attacker can exploit this vulnerability by passing attacker-controlled FormData to parseFormData, typically in an HTTP server processing form submissions, enabling mutation of Object.prototype through a single crafted field name. This can result in corrupted application state, altered control flow in code that relies on ambient object properties, and denial of service, with the impact varying depending on the host application. No special prerequisites are required for exploitation, making it a high-severity vulnerability that requires immediate attention.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update parse-nested-form-data to version 1.0.1 or later.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-xp7r-j8r6-j9h3

[/emaillocker]
crossmenu