{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@rvf/set-get/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@rvf/set-get","@rvf/core"],"_cs_severities":["high"],"_cs_tags":["prototype-pollution","web-application","javascript"],"_cs_type":"advisory","_cs_vendors":["rvf"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@rvf/set-get\u003c/code\u003e library, a dependency of \u003ccode\u003e@rvf/core\u003c/code\u003e, is vulnerable to a prototype pollution attack. This vulnerability arises due to the \u003ccode\u003esetPath\u003c/code\u003e function failing to sanitize or block the \u003ccode\u003e__proto__\u003c/code\u003e, \u003ccode\u003econstructor\u003c/code\u003e, and \u003ccode\u003eprototype\u003c/code\u003e keys during path traversal. This flaw allows an attacker to manipulate the \u003ccode\u003eObject.prototype\u003c/code\u003e of the server process by submitting malicious form data to an application using \u003ccode\u003e@rvf/core\u003c/code\u003e for form processing. The vulnerability is present in \u003ccode\u003e@rvf/set-get\u003c/code\u003e versions prior to \u003ccode\u003e7.0.2\u003c/code\u003e (7.x line) and \u003ccode\u003e6.0.4\u003c/code\u003e (6.x line), and is reachable through \u003ccode\u003e@rvf/core\u003c/code\u003e versions that depend on a vulnerable \u003ccode\u003e@rvf/set-get\u003c/code\u003e, like the current \u003ccode\u003e8.1.0\u003c/code\u003e which resolves to \u003ccode\u003e7.0.1\u003c/code\u003e by default. This issue allows attackers to inject arbitrary properties, potentially leading to privilege escalation, denial-of-service, or configuration manipulation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts an HTTP POST request containing form data.\u003c/li\u003e\n\u003cli\u003eThe form data includes a field name designed for prototype pollution, such as \u003ccode\u003e__proto__[polluted]=yes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request is sent to a Remix or React Router application that uses \u003ccode\u003e@rvf/core\u003c/code\u003e to handle form data.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eparseFormData\u003c/code\u003e function within \u003ccode\u003e@rvf/core\u003c/code\u003e processes the incoming form data.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eparseFormData\u003c/code\u003e calls \u003ccode\u003epreprocessFormData\u003c/code\u003e which uses the vulnerable \u003ccode\u003esetPath\u003c/code\u003e function from \u003ccode\u003e@rvf/set-get\u003c/code\u003e to flatten the form data into a nested object.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esetPath\u003c/code\u003e fails to block the \u003ccode\u003e__proto__\u003c/code\u003e key, allowing the attacker-controlled value to be written to \u003ccode\u003eObject.prototype\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEvery plain object created in the server process subsequently inherits the polluted property.\u003c/li\u003e\n\u003cli\u003eThis pollution can be exploited to bypass security checks, modify application behavior, or cause a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to set arbitrary properties on the \u003ccode\u003eObject.prototype\u003c/code\u003e of the server process via a single, unauthenticated HTTP request. This pollution persists for the life of the worker process, affecting every subsequent request handled by the same process. The direct consequences depend on the host application and its dependencies. However, typical risks include bypassing authentication checks (\u003ccode\u003eif (obj.isAdmin)\u003c/code\u003e), injecting unintended configuration values, breaking template rendering, and crashing the worker process. The vulnerability leaves no obvious trace in request logs, as the malicious key is not present in the visible output of \u003ccode\u003epreprocessFormData\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003e@rvf/set-get\u003c/code\u003e version \u003ccode\u003e7.0.2\u003c/code\u003e or \u003ccode\u003e6.0.4\u003c/code\u003e to patch CVE-2026-44483.\u003c/li\u003e\n\u003cli\u003eIf a direct upgrade of \u003ccode\u003e@rvf/core\u003c/code\u003e is not feasible, use \u003ccode\u003enpm\u003c/code\u003e or \u003ccode\u003epnpm\u003c/code\u003e overrides to force the resolution of \u003ccode\u003e@rvf/set-get\u003c/code\u003e to a patched version.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to detect potential exploitation attempts by looking for requests with malicious field names in HTTP request logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T16:11:06Z","date_published":"2026-05-11T16:11:06Z","id":"https://feed.craftedsignal.io/briefs/2026-05-rvf-prototype-pollution/","summary":"The `@rvf/set-get` library, used by `@rvf/core`, is vulnerable to prototype pollution via form data processing; the `setPath` function does not block the keys `__proto__`, `constructor`, or `prototype` when walking a path, allowing attackers to set arbitrary properties on `Object.prototype` of the running server process via HTTP form submissions (CVE-2026-44483).","title":"@rvf/set-get Prototype Pollution via Form Data Processing (CVE-2026-44483)","url":"https://feed.craftedsignal.io/briefs/2026-05-rvf-prototype-pollution/"}],"language":"en","title":"CraftedSignal Threat Feed — @Rvf/Set-Get","version":"https://jsonfeed.org/version/1.1"}