Name of the Vulnerable Software and Affected Versions PT-2025-138: Server-Side Prototype Pollution in Foundry Virtual Tabletop

Description A vulnerability has been identified in Foundry Virtual Tabletop affecting version 13.350. The discovered vulnerability can be exploited by an attacker to inject arbitrary properties into the global object prototype of the Foundry Virtual Tabletop (FVT) server through unsafe recursive merge operations on user input. This allows the attacker to modify the base prototype of JavaScript objects, which subsequently leads to various types of attacks: denial of service (DoS) through infinite recursion, authentication bypass, and other potential threats. Vulnerability status: Confirmed by the vendor. Vulnerability fix date: 11/12/2025.

Recommendations Update to version 13.351 or higher.