PT-2025-51757 · Vercel+2 · Next.Js App Router+2
Published
2025-12-16
·
Updated
2025-12-16
·
CVE-2025-68130
CVSS v4.0
8.5
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L |
Name of the Vulnerable Software and Affected Versions
tRPC versions 10.27.0 through 10.45.2
tRPC versions 11.0.0 through 11.7.9
Description
tRPC enables the creation of fully typesafe APIs without requiring schemas or code generation. A prototype pollution issue exists in the
@trpc/server's formDataToObject function, specifically when used with the Next.js App Router adapter. An attacker can manipulate Object.prototype by submitting specially crafted FormData field names. This could potentially lead to authorization bypass or denial of service. The issue is only present when using experimental caller / experimental nextAppDirCaller.Recommendations
Update to tRPC version 10.45.3 or later.
Update to tRPC version 11.8.0 or later.
Exploit
Fix
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Trpc/Server
Next.Js App Router
Trpc