CVE-2025-68130
Prototype Pollution in tRPC `formDataToObject` Enables Authorization Bypass
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| trpc | server | 11.8.0 |
| trpc | server | 10.27.0 |
| trpc | server | 10.45.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68130 is a prototype pollution vulnerability in the `formDataToObject` function of the `@trpc/server` package, specifically when using the experimental Next.js App Router adapter features `experimental_caller` or `experimental_nextAppDirCaller`. The vulnerability occurs because the function does not properly validate or sanitize FormData field names, allowing an attacker to submit specially crafted keys like `__proto__[isAdmin]` that modify `Object.prototype`. This pollution affects all objects in the JavaScript environment, enabling attackers to inject or override properties globally. [1]
How can this vulnerability impact me? :
This vulnerability can lead to several serious impacts: 1) Authorization Bypass: Applications that check user permissions by accessing object properties (e.g., `user.isAdmin`) can be bypassed because all objects inherit the polluted properties set by the attacker. 2) Denial of Service: Polluting critical properties like `toString` can cause application crashes or unexpected behavior. Overall, it can compromise application integrity and availability, potentially allowing attackers to escalate privileges or disrupt service. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious FormData submissions containing keys like '__proto__[isAdmin]' or other prototype pollution patterns in requests to tRPC mutations using Next.js Server Actions. You can inspect incoming HTTP requests for FormData fields with keys that include '__proto__', 'constructor', or 'prototype'. For example, using command-line tools like curl or tcpdump to capture traffic and grep to search for these keys in payloads. Additionally, reviewing logs or using application-level logging to detect unexpected properties on Object.prototype (e.g., checking if {}.isAdmin is set) can help identify exploitation attempts. Specific commands might include: 1) Using curl to simulate or detect malicious FormData: curl -X POST -F "__proto__[isAdmin]=true" http://yourserver/endpoint 2) Using tcpdump to capture HTTP traffic: tcpdump -A -s 0 'tcp port 80' | grep '__proto__' 3) In Node.js runtime, checking for pollution: console.log({}.isAdmin) to see if the property exists unexpectedly. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the '@trpc/server' package to version 10.45.3 or 11.8.0 or later, where the vulnerability is fixed by adding validation to prevent prototype pollution. Additionally, avoid using the experimental features 'experimental_caller' and 'experimental_nextAppDirCaller' if possible, as the vulnerability only exists when these are enabled. If upgrading immediately is not feasible, consider implementing input validation or sanitization to reject FormData keys containing '__proto__', 'constructor', or 'prototype' to prevent pollution. Monitoring and restricting access to the vulnerable endpoints can also reduce risk until a patch is applied. [1]