CVE-2026-45302: Prototype Pollution in parse-nested-form-data Before 1.0.1
parse-nested-form-data is a Node.js library that converts web form submissions into structured JavaScript objects and arrays. Versions before 1.0.1 contain a prototype pollution vulnerability: if an attacker submits a form field with a name like `__proto__` or containing `.__proto__.` anywhere in it, the parser inadvertently modifies JavaScript's Object.prototype. This pollutes the prototype chain for every plain object created in the application afterward, potentially corrupting application logic, exposing sensitive data, or enabling denial of service.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
- Weaknesses (CWE)
- CWE-1321
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. This issue has been patched in version 1.0.1.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from unsafe traversal of FormData field names using bracket and dot notation without validation of reserved property keys. When parseFormData() encounters a field name containing `__proto__` as a segment, it writes directly to Object.prototype rather than halting or sanitizing the input. This is a classic prototype pollution flaw. An attacker controlling form field names can inject arbitrary properties into the prototype chain, affecting all objects that inherit from Object—essentially every plain object in the running process. The issue is network-accessible (AV:N), requires no authentication (PR:N), and can be triggered through a single malicious form submission.
Business impact
Applications using vulnerable versions of parse-nested-form-data face integrity and availability risks. An attacker can corrupt application state by polluting object prototypes, potentially causing unexpected behavior in business logic, authentication checks, or data validation routines. In worst-case scenarios, an attacker could disable critical features or leak sensitive information stored in object properties. The attack requires only network access and no user interaction, making it a straightforward vector for malicious actors. Any user-facing application or API endpoint that accepts and parses form data using this library is exposed.
Affected systems
All applications running parse-nested-form-data versions prior to 1.0.1 are affected. This includes any Node.js application that imports and uses the parseFormData() function to process user-submitted form data. Because the library is published on npm and is designed for form parsing, affected systems span web applications, REST APIs, microservices, and backend systems that accept multipart/form-data or application/x-www-form-urlencoded submissions. The vulnerability's scope is determined by the version constraint in each application's package.json or package-lock.json.
Exploitability
Exploitation is straightforward and requires minimal effort. An attacker simply crafts a form submission with a malicious field name—for example, a field named `__proto__.isAdmin` set to `true`, or `__proto__.constructor.prototype.adminBypass` with any value. No special tools, authentication, or user interaction are required. The attack is immediate upon form submission and affects the entire application process. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects this low barrier to entry. However, the impact is not critical because the vulnerability results in information disclosure or availability degradation rather than remote code execution.
Remediation
Upgrade parse-nested-form-data to version 1.0.1 or later immediately. Version 1.0.1 includes filtering logic that prevents traversal into reserved prototype keys. After upgrading, restart all application instances. Verify that your application's dependency lock file (package-lock.json or yarn.lock) reflects the patched version. If you cannot upgrade immediately, implement input validation upstream: reject or sanitize any form field names containing `__proto__`, `constructor`, or `prototype` segments before passing them to the parser.
Patch guidance
Patch deployment is straightforward: run `npm update parse-nested-form-data` or `yarn upgrade parse-nested-form-data` to pull version 1.0.1 or later. Verify the installed version in node_modules or via `npm list parse-nested-form-data`. Confirm the version matches 1.0.1+ in your package-lock.json. Restart your application process to load the patched code. Testing should include a basic smoke test to confirm form parsing still works for legitimate inputs. Consider adding test cases for malicious field names to prevent regression.
Detection guidance
Monitor application logs and request bodies for form field names containing `__proto__`, `constructor`, or `prototype` segments. These patterns in FormData submissions are strong indicators of attempted exploitation. Intrusion detection systems and WAF rules can flag requests with these keywords in parameter names. Additionally, monitor for unexpected changes to Object.prototype at runtime (difficult but possible with custom instrumentation). Review application behavior logs for anomalies in object property values—if prototype pollution has occurred, you may see unexpected properties appearing in objects throughout your application.
Why prioritize this
This vulnerability scores HIGH (8.2) due to network accessibility, absence of authentication or user interaction barriers, and significant integrity/availability impact. While not critical (no RCE), prototype pollution in production systems can cascade into serious issues. The attack surface is large (any form submission), the fix is simple (upgrade), and the risk of active exploitation is real. Prioritize based on whether your application is internet-facing and whether it directly uses parse-nested-form-data; non-public internal tools are lower risk.
Risk score, explained
CVSS 3.1 score of 8.2 (HIGH) is justified by: Attack Vector Network (AV:N)—remotely exploitable; Attack Complexity Low (AC:L)—no special conditions required; Privileges Required None (PR:N)—unauthenticated access sufficient; User Interaction None (UI:N)—automatic upon form submission; Scope Unchanged (S:U)—impact limited to the vulnerable application; Confidentiality None (C:N)—no direct data exposure; Integrity High (I:H)—object properties can be corrupted; Availability Low (A:L)—denial of service possible through logic disruption. The score does not reach Critical (9.0+) because the vulnerability does not grant code execution or direct access to sensitive data, only the ability to corrupt application state.
Frequently asked questions
Can this vulnerability lead to remote code execution?
No. Prototype pollution in Node.js cannot directly execute arbitrary code in the way that buffer overflows or template injection might. However, it can corrupt object properties used in security-critical logic (e.g., authentication flags, authorization checks), leading to privilege escalation or data manipulation. In some application architectures, it might enable secondary attacks if developers use eval() or similar on polluted properties—but those would be separate vulnerabilities.
Do we need to patch if our application doesn't accept form data from untrusted sources?
If your application only processes form data from trusted internal sources or has strong authentication that prevents untrusted users from submitting forms, the risk is lower. However, best practice is still to upgrade. Threat landscapes change, and defense-in-depth is important. Assume you'll want to accept user input in the future; keeping dependencies patched eliminates this vector.
What does 'prototype pollution' mean in practical terms?
In JavaScript, objects inherit properties from Object.prototype. Prototype pollution lets an attacker add or modify properties on Object.prototype itself, so every object created thereafter sees those properties. For example, polluting with `isAdmin=true` could make the attacker appear as an admin to any code checking `if(user.isAdmin)`. It's a subtle but powerful corruption of application state.
Is parse-nested-form-data still maintained?
The library was patched in version 1.0.1 as of the vulnerability publication date (June 2026). Check the npm package page and GitHub repository for the latest maintenance status. If the project is dormant, consider whether a maintained alternative would be suitable for your use case.
This analysis is provided for informational purposes based on the published CVE record as of the modification date (2026-06-17). SEC.co does not independently verify vendor patch effectiveness or exploit claims. Organizations should evaluate applicability to their environment, consult the official parse-nested-form-data advisory, and conduct testing before deploying patches to production. CVSS scores are provided by the source and reflect a point-in-time assessment; context and threat landscape may alter risk prioritization for your organization. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-46509HIGHPrototype Pollution in deepobj JavaScript Library
- CVE-2026-46510HIGHform-data-objectizer Prototype Pollution Vulnerability (CVSS 8.2)
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction