PT-2026-39894 · Npm+3 · @Rvf/Set-Get+2

0Xbassia

·

Published

2026-05-11

·

Updated

2026-05-27

·

CVE-2026-44483

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Name of the Vulnerable Software and Affected Versions RVF versions 6.0.0 through 6.0.3 RVF versions 7.0.0 through 7.0.1
Description The setPath function in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) fails to block the keys proto, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData or validate), an attacker can set arbitrary properties on Object.prototype of the running server process. This is a prototype pollution primitive—a condition where an attacker can manipulate the prototype of base objects to change the behavior of the application—that is reachable by default without special configuration. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator() is affected. This can lead to bypassing security checks, injecting unintended configuration values, breaking template rendering, or causing a denial of service by crashing the worker process.
Recommendations Update RVF versions 6.0.0 through 6.0.3 to version 6.0.4. Update RVF versions 7.0.0 through 7.0.1 to version 7.0.2.

Exploit

Fix

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44483
GHSA-C567-44RC-M5HQ

Affected Products

@Rvf/Set-Get
Rvf
Set-Get