Threat Advisory

Django form-data-objectizer Prototype Pollution Detected

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-46510 with a CVSS score of 8.2 is a prototype pollution vulnerability in the form-data-objectizer package, affecting versions <= 1.0.0. The vulnerability arises from the library's failure to filter out bracket-notation form keys, specifically '__proto__', 'constructor', or 'prototype', which allows an attacker to mutate Object.prototype, a prototype pollution primitive of the entire Node.js process. An attacker can exploit this vulnerability by submitting a malicious HTTP form field whose name starts with '__proto__[...]' via a single unauthenticated HTTP form submission, which can persist for the life of the worker process and affect every subsequent request handled by the same process, allowing them to bypass security checks, inject unintended config values, break template rendering, or crash the worker by polluting properties used by other libraries, ultimately leading to a high business impact and consequences if exploited, with no prerequisites or conditions required for exploitation.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-46510 with a CVSS score of 8.2 is a prototype pollution vulnerability in the form-data-objectizer package, affecting versions <= 1.0.0. The vulnerability arises from the library's failure to filter out bracket-notation form keys, specifically '__proto__', 'constructor', or 'prototype', which allows an attacker to mutate Object.prototype, a prototype pollution primitive of the entire Node.js process. An attacker can exploit this vulnerability by submitting a malicious HTTP form field whose name starts with '__proto__[...]' via a single unauthenticated HTTP form submission, which can persist for the life of the worker process and affect every subsequent request handled by the same process, allowing them to bypass security checks, inject unintended config values, break template rendering, or crash the worker by polluting properties used by other libraries, ultimately leading to a high business impact and consequences if exploited, with no prerequisites or conditions required for exploitation.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update `form-data-objectizer` to version 1.0.1.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-m2hg-wjq3-28wq

[/emaillocker]
crossmenu