PT-2025-42389 · Unknown · Sveltekit-Superforms

Published

2025-10-15

Updated

2025-10-18

CVE-2025-62381

CVSS v4.0

8.3

High

Vector

AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions sveltekit-superforms versions prior to 2.27.4

Description The software, sveltekit-superforms, has an issue where the parseFormData function in formData.js is susceptible to prototype pollution. An attacker can inject properties into Object.prototype, potentially leading to denial of service, type confusion, and remote code execution in applications that use polluted objects. The vulnerable function is parseFormData().

Recommendations Update to version 2.27.4 or later.

Exploit

Fix

DoS

RCE

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1321

Related Identifiers

CVE-2025-62381

GHSA-HWMC-4C8J-XXJ7

Affected Products

Sveltekit-Superforms

PT-2025-42389 · Unknown · Sveltekit-Superforms

CVE-2025-62381

Weakness Enumeration

Related Identifiers

Affected Products

References · 11