{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/parse-nested-form-data--1.0.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["parse-nested-form-data (\u003c= 1.0.0)"],"_cs_severities":["medium"],"_cs_tags":["prototype-pollution","javascript","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eparse-nested-form-data\u003c/code\u003e library, versions 1.0.0 and earlier, contains a prototype pollution vulnerability. The vulnerability lies in how the \u003ccode\u003eparseFormData()\u003c/code\u003e function handles bracket and dot-notation within FormData field names. By crafting a FormData field name containing \u003ccode\u003e__proto__\u003c/code\u003e, an attacker can manipulate the prototype chain of JavaScript objects. This occurs because the parsing logic doesn\u0026rsquo;t properly filter reserved property keys during the creation of nested objects from the FormData fields. This issue was patched in version 1.0.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious HTTP request containing a FormData object.\u003c/li\u003e\n\u003cli\u003eThe FormData object includes a field with a name containing \u003ccode\u003e__proto__\u003c/code\u003e, such as \u003ccode\u003e__proto__.polluted=yes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server-side application receives the HTTP request and extracts the FormData object.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003eparseFormData()\u003c/code\u003e to parse the FormData into a nested JavaScript object.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eparseFormData()\u003c/code\u003e function processes the malicious field name without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehandlePathPart\u003c/code\u003e function within \u003ccode\u003eparseFormData()\u003c/code\u003e uses the \u003ccode\u003e__proto__\u003c/code\u003e segment to traverse onto \u003ccode\u003eObject.prototype\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA property is assigned to \u003ccode\u003eObject.prototype\u003c/code\u003e, polluting the prototype chain for all plain JavaScript objects.\u003c/li\u003e\n\u003cli\u003eSubsequent operations on JavaScript objects may exhibit unexpected behavior due to the prototype pollution, leading to application compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated remote attacker to pollute the prototype chain of JavaScript objects in the affected application. This can lead to various impacts, including: corrupted application state, altered control flow in code that reads properties off objects, and denial of service. The severity of the impact depends on how the application utilizes JavaScript objects and their properties. Multiple applications are vulnerable by using the affected package.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003eparse-nested-form-data\u003c/code\u003e version 1.0.1 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, implement the workaround provided in the advisory to validate field names before calling \u003ccode\u003eparseFormData()\u003c/code\u003e to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Prototype Pollution Attempt in parse-nested-form-data via FormData\u003c/code\u003e to detect exploitation attempts based on HTTP request patterns.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests with form data containing \u003ccode\u003e__proto__\u003c/code\u003e, \u003ccode\u003econstructor\u003c/code\u003e, or \u003ccode\u003eprototype\u003c/code\u003e in the field names as described in the vulnerability details.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T16:44:44Z","date_published":"2026-05-18T16:44:44Z","id":"https://feed.craftedsignal.io/briefs/2026-05-parse-nested-form-data-prototype-pollution/","summary":"parse-nested-form-data versions 1.0.0 and earlier are vulnerable to prototype pollution via crafted FormData field names, allowing an unauthenticated remote client to mutate `Object.prototype` and potentially corrupt application state, alter control flow, or cause denial of service.","title":"parse-nested-form-data Prototype Pollution Vulnerability (CVE-2026-45302)","url":"https://feed.craftedsignal.io/briefs/2026-05-parse-nested-form-data-prototype-pollution/"}],"language":"en","title":"CraftedSignal Threat Feed — Parse-Nested-Form-Data (\u003c= 1.0.0)","version":"https://jsonfeed.org/version/1.1"}