Conform CVE-2026-49250
HIGHSeverity by source
Remote unauthenticated form submission (AV:N/AC:L/PR:N/UI:N) with no confidentiality or integrity impact; availability set to Low as a single crafted request causes a CPU spike rather than guaranteed sustained outage.
Lifecycle Timeline
1Blast Radius
ecosystem impact- 4 npm packages depend on @conform-to/dom (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.8.0.
DescriptionCVE.org
A CPU exhaustion vulnerability exists in Conform's parseSubmission future API when parsing FormData or URLSearchParams submissions with many unique field names. The parser previously looked up values by field name, which could require repeated scans of the submitted entries and cause excessive synchronous CPU work if an attacker supplies a crafted submission.
> [!NOTE] > The patched version fixes this by iterating submitted entries directly instead of repeatedly looking up values by field name. Applications that accept untrusted form submissions should still enforce request parsing limits before passing data to Conform. For multipart requests, @remix-run/form-data-parser provides maxParts, maxTotalSize, maxFileSize, maxFiles, and maxHeaderSize options.
AnalysisAI
Denial of service in Conform's parseSubmission future API allows remote attackers to exhaust server CPU by submitting FormData or URLSearchParams payloads containing many unique field names. Affecting the @conform-to/dom npm package used in React/Remix form-handling stacks, the flaw stems from the parser repeatedly scanning submitted entries during name-based value lookups, producing worst-case super-linear (effectively quadratic) synchronous work per request. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an application that accepts untrusted FormData or URLSearchParams submissions and passes them to Conform's `parseSubmission` future API without upstream request parsing limits. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector, EPSS score, KEV entry, or POC is provided, so quantitative signals are absent and must be inferred. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker posts a crafted FormData or URLSearchParams body containing tens of thousands of distinct field names to a public endpoint that calls Conform's `parseSubmission`. The parser's repeated name-based scans consume excessive synchronous CPU, blocking the Node.js event loop and degrading or stalling the service for all users; repeating the request sustains the outage. … |
| Remediation | Upgrade @conform-to/dom to the patched release, which iterates submitted entries directly rather than repeatedly looking up values by field name; the exact fixed version is not in the provided data, so consult GitHub advisory GHSA-525m-7f82-2mf7 (https://github.com/edmundhung/conform/security/advisories/GHSA-525m-7f82-2mf7) for the precise version and update accordingly - Patch available per vendor advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all production applications using @conform-to/dom via package.json review and npm audit. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-407 – Inefficient Algorithmic Complexity
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-525m-7f82-2mf7