CVE-2026-45302

Name of the Vulnerable Software and Affected Versions parse-nested-form-data versions prior to 1.0.1

Description The parseFormData() function processes bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. An attacker can use a FormData field name that begins with proto or contains . proto . mid-path to cause the parser to traverse onto Object.prototype and assign properties there. This results in prototype pollution, where the prototype chain of every plain object in the running process is contaminated. The issue resides in the handlePathPart() function within src/index.ts, which fails to reject reserved keys during object-type path segment processing. This can lead to corrupted application state, altered control flow, or denial of service in applications that process attacker-controlled FormData, such as HTTP servers.

Recommendations Update to version 1.0.1. As a temporary workaround, validate field names to ensure they do not contain proto, constructor, or prototype before calling the parseFormData() function.