PT-2026-41696 · Git+2 · Form-Data-Objectizer
0Xbassia
·
Published
2026-05-18
·
Updated
2026-06-02
·
CVE-2026-46510
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
form-data-objectizer versions prior to 1.0.1
Description
The software fails to filter
proto, constructor, or prototype when converting FormData to objects using bracket-notation form keys. An attacker can submit a single HTTP form field with a name starting with proto [...] to mutate Object.prototype, leading to prototype pollution across the entire Node.js process. This occurs within the treatInitial() and treatSecond() functions in index.cjs. This issue can be exploited to bypass security checks, inject configuration values, disrupt template rendering, or cause a denial of service by crashing the worker process.Recommendations
Update to version 1.0.1.
Exploit
Fix
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Form-Data-Objectizer