CVE-2026-46510: form-data-objectizer Prototype Pollution Vulnerability (CVSS 8.2)
form-data-objectizer is a Node.js library that converts HTML form data into JavaScript objects. Versions prior to 1.0.1 contain a prototype pollution vulnerability. An attacker can craft an HTTP form submission with a specially-named field (beginning with __proto__) that causes the library to overwrite Object.prototype—the base template all JavaScript objects inherit from. This single malicious form field corrupts the entire Node.js process, allowing an attacker to inject arbitrary properties into all objects, potentially leading to authentication bypass, data manipulation, or application crashes.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
- Weaknesses (CWE)
- CWE-1321
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process. This vulnerability is fixed in 1.0.1.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from unsafe bracket-notation parsing in form-data-objectizer. When processing form field names like name[sub][key], the library recursively creates nested object properties without sanitizing reserved keywords. Specifically, it fails to filter __proto__, constructor, or prototype. An attacker sends a form field named __proto__[polluted]=true, and the library assigns this to Object.prototype.polluted, poisoning the prototype chain. Because every JavaScript object inherits from Object.prototype, this mutation affects all downstream object property lookups in the process. The vector is network-accessible with no authentication required and no user interaction necessary.
Business impact
Applications using form-data-objectizer become vulnerable to silent, application-wide object property injection. An attacker may inject properties that bypass security checks, disable authentication logic, or override application constants. For multi-tenant services, this could enable cross-tenant data access or privilege escalation. The impact compounds when the application trusts form input or uses it in security-sensitive contexts. Process-wide corruption means a single HTTP request can compromise all concurrent requests and long-lived connections, making this particularly dangerous in high-throughput environments.
Affected systems
The vulnerability affects all versions of form-data-objectizer prior to 1.0.1. Applications using this library to parse FormData or URL-encoded form submissions are at risk. The affected versions are those before 1.0.1; verify your application's dependency tree to identify which projects have form-data-objectizer as a direct or transitive dependency.
Exploitability
Exploitation is trivial and requires only an HTTP form submission. No authentication, user interaction, or privileged access is needed. An unauthenticated attacker on the network can craft a malicious form and send it to any endpoint using form-data-objectizer. The attack is deterministic and reliable. The CVSS 3.1 score of 8.2 (HIGH) reflects this combination: network-accessible, low complexity, no privileges required, high integrity impact (object pollution), and low availability impact (potential DoS).
Remediation
Upgrade form-data-objectizer to version 1.0.1 or later. This version filters __proto__, constructor, and prototype from bracket-notation parsing. After patching, redeploy all affected Node.js applications. In parallel, review application code for unnecessary trust of form input in security-sensitive operations.
Patch guidance
1. Audit your package.json and lock files to identify the current version of form-data-objectizer. 2. Update the dependency to 1.0.1 or the latest version using npm update form-data-objectizer or yarn upgrade form-data-objectizer. 3. Run your test suite to confirm compatibility. 4. Redeploy to staging and production environments. 5. Verify the patch by checking package-lock.json or yarn.lock reflects 1.0.1 or later.
Detection guidance
Monitor HTTP logs for form submissions with field names containing __proto__, constructor, or prototype. Inspect web server and application logs for unusual form field names. Configure WAF rules to block or flag requests with these patterns in POST/form data. Examine runtime behavior for unexpected property pollution (check for injected properties on Object.prototype). For existing deployments, enable detailed logging of form field names before parsing.
Why prioritize this
This vulnerability rates HIGH priority because it requires minimal attacker effort, has no prerequisites, and compromises the security boundary of the entire Node.js process. Any application relying on form input for access control, session validation, or data filtering is at elevated risk. Organizations should prioritize patching within 2–4 weeks given the ease of exploitation.
Risk score, explained
CVSS 3.1 score of 8.2 reflects: (1) Network-accessible attack surface with no authentication or user interaction required; (2) low attack complexity; (3) high integrity impact through object prototype pollution affecting all objects; (4) low availability impact through potential resource exhaustion or logic errors; (5) no scope change (single process). The score aligns with the severity of a process-wide object injection primitive that is trivial to trigger.
Frequently asked questions
Can this be exploited without sending an HTTP request?
No. The vulnerability is only triggered when an attacker sends a form submission with a __proto__-prefixed field name to a server running the vulnerable library. It requires network access to an endpoint that uses form-data-objectizer.
Will upgrading to 1.0.1 break my application?
Version 1.0.1 filters reserved keywords during bracket-notation parsing, so legitimate form fields are unaffected. Only malicious __proto__ payloads are blocked. Test thoroughly in staging, but the patch is designed for drop-in compatibility.
What if I can't update immediately?
Implement WAF rules to block form field names containing __proto__, constructor, or prototype. Review and harden form input validation. Consider disabling or isolating any endpoints that accept complex nested form data until patching is complete.
Does this affect only Node.js applications?
form-data-objectizer is a Node.js library, so yes—only Node.js applications using this specific package are affected. However, similar prototype pollution patterns may exist in other libraries; audit your dependency chain.
This analysis is based on published vulnerability data as of the date of writing. No exploit code or weaponized proof-of-concept is provided. Organizations should verify patch availability and compatibility against vendor advisories before deployment. CVSS scores and affected versions reflect the source data provided; refer to official vendor documentation for the authoritative patch matrix. Use this guidance for risk assessment and priority planning, not as a substitute for your organization's security review process. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-45302HIGHPrototype Pollution in parse-nested-form-data Before 1.0.1
- CVE-2026-46509HIGHPrototype Pollution in deepobj JavaScript Library
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction