PT-2026-39894 · Npm+3 · @Rvf/Set-Get+2
0Xbassia
·
Published
2026-05-11
·
Updated
2026-05-27
·
CVE-2026-44483
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
RVF versions 6.0.0 through 6.0.3
RVF versions 7.0.0 through 7.0.1
Description
The
setPath function in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) fails to block the keys proto, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData or validate), an attacker can set arbitrary properties on Object.prototype of the running server process. This is a prototype pollution primitive—a condition where an attacker can manipulate the prototype of base objects to change the behavior of the application—that is reachable by default without special configuration. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator() is affected. This can lead to bypassing security checks, injecting unintended configuration values, breaking template rendering, or causing a denial of service by crashing the worker process.Recommendations
Update RVF versions 6.0.0 through 6.0.3 to version 6.0.4.
Update RVF versions 7.0.0 through 7.0.1 to version 7.0.2.
Exploit
Fix
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Rvf/Set-Get
Rvf
Set-Get