Impact Analysis

This vulnerability can allow an attacker to modify the prototype of all plain objects in the affected process by submitting specially crafted FormData field names. This prototype pollution can lead to corruption of application state, altered control flow, or denial of service conditions.

Because the vulnerability can be exploited remotely over the network without any privileges or user interaction, it poses a high risk to applications using vulnerable versions of the parse-nested-form-data module.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows prototype pollution by modifying Object.prototype, which can lead to corruption of application state, altered control flow, or denial of service.

Such impacts could potentially affect the security and integrity of applications handling sensitive data, which may in turn affect compliance with standards like GDPR or HIPAA that require protection of data integrity and availability.

However, the provided information does not explicitly describe direct effects on compliance with these regulations.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-45302 is a prototype pollution vulnerability in the parse-nested-form-data Node.js module, which parses FormData field names into nested objects. Before version 1.0.1, the parser did not filter out reserved property keys such as __proto__, constructor, or prototype. If a FormData field name started with __proto__ or contained .__proto__. mid-path, the parser would traverse and assign properties to Object.prototype. This pollutes the prototype chain of all plain objects in the running process, potentially corrupting application state.

The issue was fixed in version 1.0.1 by introducing checks that throw a ForbiddenKeyError when reserved keys are detected in field names, preventing prototype pollution.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves prototype pollution via specially crafted FormData field names containing reserved keys like __proto__ or .__proto__. mid-path. Detection involves monitoring or inspecting FormData submissions for such suspicious field names.

You can detect attempts to exploit this vulnerability by searching logs or network captures for FormData fields with names starting with __proto__ or containing .__proto__.

• Use network traffic inspection tools (e.g., Wireshark or tcpdump) to capture HTTP requests and filter for FormData fields containing '__proto__'.
• On a Linux system, use grep to search application logs or captured HTTP request dumps for suspicious keys, for example: grep -r '__proto__' /path/to/logs
• If you have access to the application code or runtime, add logging or validation to detect when FormData field names contain forbidden keys before parsing.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the parse-nested-form-data module to version 1.0.1 or later, where the vulnerability is fixed.

Version 1.0.1 introduces checks that throw a ForbiddenKeyError when reserved keys like __proto__, constructor, or prototype are detected in FormData field names, preventing prototype pollution.

As a workaround before upgrading, validate and sanitize all FormData field names to reject or filter out any keys containing __proto__ or similar reserved property keys.

• Update parse-nested-form-data to version 1.0.1 or later.
• Implement input validation to reject FormData fields with names containing reserved keys.
• Monitor application logs for any suspicious FormData field names indicating attempted exploitation.

Useful 0 Not Useful 0