{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/form-data-objectizer/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["form-data-objectizer"],"_cs_severities":["medium"],"_cs_tags":["prototype-pollution","javascript","node.js"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eform-data-objectizer\u003c/code\u003e npm package, version 1.0.0, is susceptible to prototype pollution. This vulnerability arises because the library processes bracket-notation form keys (e.g., \u003ccode\u003ename[sub]\u003c/code\u003e) without properly sanitizing special property names like \u003ccode\u003e__proto__\u003c/code\u003e, \u003ccode\u003econstructor\u003c/code\u003e, or \u003ccode\u003eprototype\u003c/code\u003e. By crafting a specific HTTP form field with a name starting with \u003ccode\u003e__proto__[...]\u003c/code\u003e, an attacker can modify the \u003ccode\u003eObject.prototype\u003c/code\u003e.  This can lead to a range of security issues. This vulnerability was reported on May 18, 2026, and affects Node.js applications using the \u003ccode\u003eform-data-objectizer.toObject()\u003c/code\u003e function to parse incoming form data. The injected properties persist across requests handled by the same process, magnifying the impact.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious HTTP form request containing a field with a key starting with \u003ccode\u003e__proto__\u003c/code\u003e, for example, \u003ccode\u003e__proto__[polluted]=yes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Node.js application receives the HTTP request and uses the \u003ccode\u003eform-data-objectizer\u003c/code\u003e library to parse the form data.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etoObject()\u003c/code\u003e function in \u003ccode\u003eform-data-objectizer\u003c/code\u003e calls the \u003ccode\u003etreatInitial\u003c/code\u003e function to process the form data.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etreatInitial\u003c/code\u003e function identifies the \u003ccode\u003e__proto__\u003c/code\u003e property and retrieves the corresponding value, which is \u003ccode\u003eObject.prototype\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etreatSecond\u003c/code\u003e function is then called recursively with the remaining part of the key, such as \u003ccode\u003epolluted\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etreatSecond\u003c/code\u003e function directly assigns the attacker-controlled value to \u003ccode\u003eObject.prototype[polluted]\u003c/code\u003e, polluting the prototype.\u003c/li\u003e\n\u003cli\u003eAll subsequently created objects in the Node.js process inherit the polluted property.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective by modifying application behavior or causing a denial-of-service by exploiting the polluted prototype.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to pollute the prototype of all objects in the Node.js process. This can lead to various consequences, including bypassing \u003ccode\u003eif (obj.isAdmin)\u003c/code\u003e style checks, injecting unintended config values into objects merged with user input, breaking template rendering, and crashing the worker process due to modifications of properties used by other libraries. The vulnerability affects any application using \u003ccode\u003eform-data-objectizer\u003c/code\u003e to parse form data, potentially impacting a wide range of Node.js applications. An unauthenticated attacker can trigger this with a single HTTP request.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested patch provided in the advisory to reject any form key segment equal to \u003ccode\u003e__proto__\u003c/code\u003e, \u003ccode\u003econstructor\u003c/code\u003e, or \u003ccode\u003eprototype\u003c/code\u003e in \u003ccode\u003eform-data-objectizer\u003c/code\u003e to mitigate CVE-2026-46510.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Prototype Pollution via form-data-objectizer\u0026rdquo; to identify exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests containing form fields with names starting with \u003ccode\u003e__proto__\u003c/code\u003e, \u003ccode\u003econstructor\u003c/code\u003e, or \u003ccode\u003eprototype\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eConsider using \u003ccode\u003eObject.create(null)\u003c/code\u003e for the result object as a preventative measure, but ensure to also guard against direct writes to \u003ccode\u003e__proto__\u003c/code\u003e as described in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T13:28:55Z","date_published":"2026-05-18T13:28:55Z","id":"https://feed.craftedsignal.io/briefs/2026-05-form-data-objectizer-prototype-pollution/","summary":"The form-data-objectizer npm package version 1.0.0 is vulnerable to prototype pollution (CVE-2026-46510) via crafted form keys, allowing an attacker to modify Object.prototype and potentially cause denial-of-service, bypass security checks, or inject unintended values.","title":"form-data-objectizer Prototype Pollution Vulnerability (CVE-2026-46510)","url":"https://feed.craftedsignal.io/briefs/2026-05-form-data-objectizer-prototype-pollution/"}],"language":"en","title":"CraftedSignal Threat Feed — Form-Data-Objectizer","version":"https://jsonfeed.org/version/1.1"}