CVE-2026-44483
Prototype Pollution in RVF Form Validation Library
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rvf | set-get | From 6.0.0 (inc) to 6.0.4 (exc) |
| rvf | core | From 6.0.0 (inc) to 6.0.4 (exc) |
| rvf | set-get | to 7.0.2 (inc) |
| rvf | core | to 7.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in RVF (formerly Remix Validated Form), a library used for form validation and state management in React applications. Specifically, versions from 6.0.0 to before 6.0.4 and 7.0.2 have an issue in the setPath function within the @rvf/set-get package. The function does not block certain special keys (__proto__, constructor, prototype) when processing form data paths.
Because form field names are passed directly to setPath, an attacker who can submit a form to an application using this library can exploit this to set arbitrary properties on the Object.prototype of the server process. This is known as prototype pollution, which can lead to unexpected behavior or security issues in the application.
No special configuration is needed to exploit this vulnerability; any endpoint accepting form data via parseFormData or using validators created with createValidator is affected.
How can this vulnerability impact me? :
This vulnerability allows an attacker to perform prototype pollution on the server process by setting arbitrary properties on Object.prototype. This can lead to serious security impacts including:
- Manipulation of application logic or data by altering object prototypes.
- Potential denial of service (DoS) due to corrupted application state or crashes.
- Escalation of privileges or bypassing security controls if the polluted prototype affects security-sensitive code.
Overall, this vulnerability can compromise the integrity and availability of the affected application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the affected packages to the fixed versions: update @rvf/set-get to version 6.0.4 or later, and @rvf/core to version 7.0.2 or later.
Avoid using vulnerable versions (6.0.0 to before 6.0.4 and 7.0.2) of these libraries in your Remix or React Router applications.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to perform prototype pollution on the server process by submitting specially crafted form data, which can lead to arbitrary property assignments on Object.prototype. This can result in bypassing security checks, injecting unintended configuration values, breaking template rendering, or causing denial-of-service conditions.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the integrity impact of this vulnerability could potentially affect the security controls required by such regulations. For example, unauthorized manipulation of server-side objects could undermine data integrity and application security, which are critical for compliance.
However, there is no direct information provided about specific impacts on compliance with GDPR, HIPAA, or other common standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP form submissions to endpoints using the vulnerable versions of @rvf/set-get and @rvf/core, specifically versions >=6.0.0 and <6.0.4 or >=7.0.0 and <7.0.2. Since the attack involves submitting form data with keys like __proto__, constructor, or prototype, detection can focus on identifying such suspicious keys in incoming form data.
There are no specific commands provided in the resources, but general detection steps include inspecting HTTP request payloads for form fields named __proto__, constructor, or prototype.
For example, using command-line tools like curl or tcpdump combined with grep to filter suspicious keys:
- Use tcpdump to capture HTTP traffic and grep for suspicious keys: tcpdump -A -s 0 'tcp port 80' | grep -E '__proto__|constructor|prototype'
- Use curl to simulate form submissions with suspicious keys to test if the server is vulnerable: curl -X POST -d '__proto__[polluted]=true' https://your-target-endpoint
Additionally, reviewing server logs for unusual property assignments or errors related to prototype pollution may help in detection.