Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
2Blast Radius
ecosystem impact- 7 npm packages depend on parse-nested-form-data (5 direct, 2 indirect)
Ecosystem-wide dependent count for version 1.0.1.
DescriptionGitHub Advisory
Summary
parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process.
Details
The vulnerability is in handlePathPart in src/index.ts, which performs currentObject[pathPart.path] and currentObject[pathPart.path] = val for object-type path segments without rejecting reserved keys. When the segment is __proto__, the read returns Object.prototype, which then becomes the next traversal target, and the next assignment lands on the prototype.
Reproduction on a fresh install of parse-nested-form-data@1.0.0:
import { parseFormData } from 'parse-nested-form-data';
const fd = new FormData();
fd.append('__proto__.polluted', 'yes');
parseFormData(fd);
console.log(({}).polluted); // -> 'yes'
console.log(([]).polluted); // -> 'yes'Equivalent vectors:
__proto__[polluted]=yesa.__proto__.polluted=yes(mid-path traversal)a[0].__proto__.polluted=yes(mid-path through an array element)
constructor.prototype.x was incidentally blocked by an existing duplicate-key guard (because Object is a function and failed the JSON-object check), but relying on that was fragile, so the fix denylists constructor and prototype as well as __proto__. The array branch (a[0], a[]) was not exploitable in practice - the regex restricts array-index segments to digit characters - but the forbidden-key check is applied before the object/array type branching as defense in depth, so any future change to the regex cannot reintroduce the issue.
Impact
Any application that passes attacker-controlled FormData (or any Iterable<[string, string | File]>) to parseFormData() - typically an HTTP server processing form submissions - allows an unauthenticated remote client to mutate Object.prototype of the running process via a single field name. Concrete consequences depend on the host application and may include corrupted application state, altered control flow in code that reads ambient properties off objects, and denial of service.
Patches
Fixed in 1.0.1. handlePathPart now throws a new ForbiddenKeyError (also exported) when any path segment is __proto__, constructor, or prototype, regardless of whether the segment would be used as an object key or an array index. The check runs before object/array type branching for defense in depth.
Upgrade:
npm install parse-nested-form-data@^1.0.1Workarounds
If upgrading is not possible, validate field names before calling parseFormData():
const FORBIDDEN = /(^|\.)(__proto__|constructor|prototype)($|[.[])/;
for (const [name] of formData.entries()) {
if (FORBIDDEN.test(name)) throw new Error('Unsafe field name');
}Resources
- CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
- Fix commit: 527ad58eb486e32438f7198fb88315c20449d792
AnalysisAI
Prototype pollution in the npm package parse-nested-form-data version 1.0.0 and earlier allows unauthenticated remote clients to mutate Object.prototype of the running Node.js process by submitting a FormData field whose name contains __proto__ in bracket or dot notation. The flaw resides in handlePathPart in src/index.ts, which walks nested path segments without filtering reserved keys, so a single crafted field name pollutes the prototype chain of every plain object in the process. No public exploit identified at time of analysis, but a working proof-of-concept is published in the GHSA advisory itself.
Technical ContextAI
parse-nested-form-data is a TypeScript/JavaScript library that converts a FormData iterable into a nested JavaScript object by interpreting bracket (a[b]) and dot (a.b) notation in field names. The root cause is CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes): handlePathPart performs currentObject[pathPart.path] reads and writes during traversal, so when a segment equals __proto__, the read returns Object.prototype and the next assignment lands on the shared prototype. The CPE pkg:npm/parse-nested-form-data identifies the single affected npm package; constructor and prototype were also denylisted in the fix as defense in depth, even though constructor.prototype.x was incidentally blocked by an existing duplicate-key guard and array-index segments are restricted to digits by regex.
RemediationAI
Vendor-released patch: upgrade to parse-nested-form-data 1.0.1 or later via npm install parse-nested-form-data@^1.0.1; the release is tagged at https://github.com/milamer/parse-nested-form-data/releases/tag/v1.0.1 and the fix commit is 527ad58eb486e32438f7198fb88315c20449d792, which adds a ForbiddenKeyError thrown when any path segment equals __proto__, constructor, or prototype before the object/array branching. If upgrade is blocked, the vendor-documented workaround is to pre-validate FormData field names with the regex /(^|\.)(__proto__|constructor|prototype)($|[.[])/ and reject matching names before invoking parseFormData(); the trade-off is that legitimate forms with fields literally named constructor or prototype will be rejected, and the validator must be applied at every call site. Dependabot and npm audit will surface this advisory automatically once 1.0.1 is published.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33723
GHSA-xp7r-j8r6-j9h3