Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process.
The bug is in treatInitial and treatSecond inside index.cjs:
if (inputName in result) { // 'in' walks the prototype chain, so '__proto__' matches
newResult = result[inputName] // newResult === Object.prototype
}
// ...
result[key] = value // sets the property on Object.prototypeWith the form key __proto__[polluted] and value yes:
treatInitialmatchesinputName = "__proto__",rest = "[polluted]"."__proto__" in resultis true (inherited), sonewResult = result["__proto__"], which isObject.prototype.treatSecondrecurses withkey = "polluted",newRest = "", and assignsObject.prototype.polluted = "yes".
Affected versions
form-data-objectizer<= 1.0.0(currently the only published version)
Patched
Not yet. Suggested fix: reject any segment equal to __proto__, constructor, or prototype before walking into result[inputName] / result[key]. Either throw or skip the entry.
Minimum patch in treatInitial and treatSecond:
const REJECT = new Set(['__proto__', 'constructor', 'prototype']);
if (REJECT.has(inputName) || REJECT.has(key)) {
return; // or throw
}Using Object.create(null) for the result object would also work since it has no prototype to pollute, but the key === '__proto__' direct write still needs guarding.
Proof of concept
Fresh install on Node 18+:
mkdir pp-fdo && cd pp-fdo
npm init -y
npm install form-data-objectizer@1.0.0// poc.js
const FormDataToObject = require('form-data-objectizer');
const form = new FormData();
form.append('username', 'alice');
form.append('__proto__[polluted]', 'yes');
FormDataToObject.toObject(form);
console.log(({}).polluted); // -> 'yes'Observed output:
package version: 1.0.0
before pollution: undefined
after pollution: yes
parsed data: { username: 'alice' }
confirmed: YES, prototype pollutedThe field name __proto__[polluted] is the kind of value an attacker can submit from any HTML form or HTTP client. After the call, every plain object in the process inherits polluted = 'yes'. The visible parsed output drops the malicious key, so the attack leaves no obvious trace in request logs that show parsed bodies.
A second working payload is constructor[prototype][polluted]=yes, which walks result.constructor then .prototype.
Impact
- Default-reachable prototype pollution via a single unauthenticated HTTP form submission, in any Node.js application that uses
form-data-objectizer.toObject()on incoming form data. - Persists for the life of the worker process and affects every subsequent request handled by the same process.
- Direct downstream consequences depend on the host application and the rest of its dependency tree, but typical risks include: bypassing
if (obj.isAdmin)style checks, injecting unintended config values into objects merged with user input, breaking template rendering, and crashing the worker by polluting properties used by other libraries (DoS).
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L (8.2, High)
Integrity is High because the primitive lets the attacker change the meaning of property reads on every object in the process. Confidentiality is None and Availability is Low without a named downstream gadget; both could be higher in a specific consuming app.
Credit
Reported by Mohamed Bassia (@0xBassia).
AnalysisAI
Prototype pollution in the npm package form-data-objectizer (<= 1.0.0) lets unauthenticated remote attackers mutate Object.prototype by submitting a single HTTP form field whose name uses bracket notation such as __proto__[polluted] or constructor[prototype][polluted]. The defect lives in treatInitial/treatSecond inside index.cjs, where an 'in' check walks the prototype chain and lets the parser write to inherited properties. CVSS is 8.2 (High) with Integrity:High; publicly available exploit code exists (working PoC published in the GHSA advisory), but there is no public exploit identified as being used in attacks and no CISA KEV listing.
Technical ContextAI
form-data-objectizer is a small Node.js helper that converts a FormData object into a nested JavaScript object by parsing bracket-notation keys (e.g. user[address][city]) and recursively walking into sub-objects. The root cause is CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, a.k.a. Prototype Pollution): the parser uses the JavaScript 'in' operator, which traverses the prototype chain, so the literal key __proto__ resolves to Object.prototype and subsequent assignments mutate that shared prototype. Because every plain object in Node.js inherits from Object.prototype, a single tainted form submission can change the meaning of property lookups across the entire Node.js process. The CPE pkg:npm/form-data-objectizer identifies the affected package, and the commit diff (7c54b99) shows the fix introduces an assertSafeKeySegment guard for __proto__, constructor, and prototype, replaces 'in' with Object.prototype.hasOwnProperty.call (hasOwn), and adds regression tests.
RemediationAI
Vendor-released patch: form-data-objectizer 1.0.1 - upgrade via 'npm install form-data-objectizer@^1.0.1' (or pin >=1.0.1) and redeploy so all worker processes restart, since pollution persists for the process lifetime. The fix commit https://github.com/kaspernj/form-data-objectizer/commit/7c54b99408e6e9cd6533b7245bf197dadc2a2dbc rejects key segments equal to __proto__, constructor, or prototype and switches the membership test to Object.prototype.hasOwnProperty.call; see the GHSA at https://github.com/kaspernj/form-data-objectizer/security/advisories/GHSA-m2hg-wjq3-28wq. If upgrading is not immediately possible, pre-filter incoming form keys at the web/middleware layer to drop or 400-reject any field whose name contains the substrings __proto__, constructor, or prototype before invoking toObject() (trade-off: legitimate fields literally named 'constructor' or 'prototype' will be blocked), or fork the library to apply the published guard locally. Avoid 'merge this with a safe default' style mitigations that still hand attacker-controlled keys to the vulnerable parser.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33321
GHSA-m2hg-wjq3-28wq