CVE-2025-62381
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ciscoheat | sveltekit-superforms | 2.27.3 |
| ciscoheat | sveltekit-superforms | 2.27.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability is a prototype pollution issue in sveltekit-superforms versions 2.27.3 and earlier. It occurs in the parseFormData function of formData.js, where an attacker can inject string and array properties into Object.prototype. This manipulation can lead to denial of service, type confusion, and potentially remote code execution in applications that use the polluted objects.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to cause denial of service, create type confusion errors, or even execute remote code in downstream applications that rely on the polluted objects. This can compromise the availability, integrity, and security of your application.
What immediate steps should I take to mitigate this vulnerability?
Upgrade sveltekit-superforms to version 2.27.4 or later, as this version contains the fix for the prototype pollution vulnerability in the parseFormData function.