Skip to main content

@rvf/set-get CVE-2026-44483

| EUVDEUVD-2026-32564 HIGH
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-05-11 https://github.com/airjp73/rvf GHSA-c567-44rc-m5hq
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 16:31 vuln.today
Analysis Generated
May 11, 2026 - 16:31 vuln.today
CVE Published
May 11, 2026 - 16:09 nvd
HIGH 8.2

DescriptionGitHub Advisory

Summary

setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the keys __proto__, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData / validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on Object.prototype of the running server process.

This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator is affected.

Affected versions

  • @rvf/set-get < 7.0.2 (7.x line)
  • @rvf/set-get < 6.0.4 (6.x line)

Reached through @rvf/core versions that depend on a vulnerable @rvf/set-get (current 8.1.0 resolves to 7.0.1 without the override).

Patched

  • @rvf/set-get 7.0.2
  • @rvf/set-get 6.0.4

The fix adds a REJECT_KEYS blocklist (__proto__, constructor, prototype) and throws when one is encountered while walking a path inside setPath.

Proof of concept

Install a vulnerable resolution and run on Node 18+:

json
{
  "dependencies": { "@rvf/core": "8.1.0" },
  "overrides": { "@rvf/set-get": "7.0.1" }
}
js
const { preprocessFormData } = require('@rvf/core');

const form = new FormData();
form.append("username", "alice");
form.append("__proto__[polluted]", "yes");

preprocessFormData(form);
console.log(({}).polluted); // -> 'yes'

The field name __proto__[polluted] is the kind of value an attacker can submit from any HTML form or HTTP client. After the call, every plain object in the process inherits polluted = 'yes'.

A second working payload is constructor.prototype.<key>=<value>, which goes through setPath walking constructor then prototype.

Impact

  • Any property assignable on Object.prototype of the server process, set by a single unauthenticated HTTP request.
  • Persists for the life of the worker process and affects every subsequent request handled by the same process.
  • Direct downstream consequences depend on the host application and the rest of its dependency tree, but typical risks include: bypassing if (obj.isAdmin) style checks, injecting unintended config values into objects merged with user input, breaking template rendering, and crashing the worker by polluting properties used by other libraries (DoS).
  • Worth noting: the visible output of preprocessFormData does not contain the malicious key, so the attack leaves no obvious trace in request logs that show parsed bodies.

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L (8.2, High)

Integrity is High because the primitive lets the attacker change the meaning of property reads on every object in the process. Confidentiality is None and Availability is Low without a named downstream gadget; both could be higher in a specific consuming app.

Remediation for users

Upgrade to @rvf/set-get 7.0.2 or 6.0.4. If you cannot upgrade @rvf/core directly, an npm / pnpm override on @rvf/set-get works.

Credit

Reported by Mohamed Bassia (@0xBassia).

AnalysisAI

Prototype pollution in @rvf/set-get allows remote attackers to modify Object.prototype on Node.js servers processing form data via Remix or React Router applications. The setPath function fails to block dangerous property keys (__proto__, constructor, prototype) when flattening form submissions, enabling unauthenticated attackers to inject arbitrary properties into all JavaScript objects across the server process with a single malformed HTTP request. Working proof-of-concept code is publicly available demonstrating property injection via field names like '__proto__[polluted]'. The vulnerability affects default configurations with no special setup required - any endpoint using parseFormData or createValidator is exploitable. CVSS 8.2 High severity driven by network attack vector (AV:N), low complexity (AC:L), and no authentication requirement (PR:N), with high integrity impact from the ability to alter application logic process-wide.

Technical ContextAI

The vulnerability exists in the @rvf/set-get library (NPM packages pkg:npm/@rvf_set-get versions 6.x < 6.0.4 and 7.x < 7.0.2), which provides path-based object property setting for form data processing in Remix and React Router server-side applications. The core issue is a CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) flaw in the setPath function, which walks object paths derived from untrusted form field names without sanitizing JavaScript's special prototype chain properties. When user-controlled form data containing field names like '__proto__[key]' or 'constructor.prototype[key]' is passed through preprocessFormData (exposed via @rvf/core), the library sets properties directly on Object.prototype. This is a classic prototype pollution vulnerability where JavaScript's prototypal inheritance mechanism is exploited: polluting Object.prototype means every plain object {} in the Node.js process inherits the injected properties. The @rvf/core library version 8.1.0 transitively depends on the vulnerable @rvf/set-get 7.0.1, making the attack surface any server-side form handling endpoint in applications using the RVF (Remix Validated Form) ecosystem.

RemediationAI

Upgrade @rvf/set-get to version 7.0.2 (for 7.x users) or 6.0.4 (for 6.x users), which introduce a REJECT_KEYS blocklist that throws an error when __proto__, constructor, or prototype appear in form field paths. For applications using @rvf/core 8.1.0 or other versions with transitive dependencies on vulnerable @rvf/set-get, apply a package manager override to force resolution to the patched version: in package.json add '"overrides": { "@rvf/set-get": "7.0.2" }' for NPM/Yarn or use the equivalent pnpm.overrides mechanism. Verify the override took effect by checking node_modules/@rvf/set-get/package.json for version 7.0.2 or 6.0.4 after reinstalling dependencies. If immediate upgrade is blocked, implement a temporary input validation layer that rejects form submissions containing field names matching the pattern /__proto__|constructor|prototype/ before they reach preprocessFormData - note this workaround must be applied at the HTTP request parsing layer, not after @rvf processing, and may break legitimate use cases if applications intentionally use these strings in field names (unlikely but verify). The blocklist workaround is brittle and should be replaced with the vendor patch as soon as possible. Consult the GitHub advisory at https://github.com/airjp73/rvf/security/advisories/GHSA-c567-44rc-m5hq for additional context.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-44483 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy