CVE-2026-45302
Deferred Deferred - Pending Action

Prototype Pollution in parse-nested-form-data Library

Vulnerability report for CVE-2026-45302, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-01

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description

parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. This issue has been patched in version 1.0.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-01
Last Modified
2026-06-02
Generated
2026-07-12
AI Q&A
2026-06-01
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
milamer parse-nested-form-data to 1.0.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows prototype pollution by modifying Object.prototype, which can lead to corruption of application state, altered control flow, or denial of service.

Such impacts could potentially affect the security and integrity of applications handling sensitive data, which may in turn affect compliance with standards like GDPR or HIPAA that require protection of data integrity and availability.

However, the provided information does not explicitly describe direct effects on compliance with these regulations.

Impact Analysis

This vulnerability can allow an attacker to modify the prototype of all plain objects in the affected process by submitting specially crafted FormData field names. This prototype pollution can lead to corruption of application state, altered control flow, or denial of service conditions.

Because the vulnerability can be exploited remotely over the network without any privileges or user interaction, it poses a high risk to applications using vulnerable versions of the parse-nested-form-data module.

Executive Summary

CVE-2026-45302 is a prototype pollution vulnerability in the parse-nested-form-data Node.js module, which parses FormData field names into nested objects. Before version 1.0.1, the parser did not filter out reserved property keys such as __proto__, constructor, or prototype. If a FormData field name started with __proto__ or contained .__proto__. mid-path, the parser would traverse and assign properties to Object.prototype. This pollutes the prototype chain of all plain objects in the running process, potentially corrupting application state.

The issue was fixed in version 1.0.1 by introducing checks that throw a ForbiddenKeyError when reserved keys are detected in field names, preventing prototype pollution.

Detection Guidance

This vulnerability involves prototype pollution via specially crafted FormData field names containing reserved keys like __proto__ or .__proto__. mid-path. Detection involves monitoring or inspecting FormData submissions for such suspicious field names.

You can detect attempts to exploit this vulnerability by searching logs or network captures for FormData fields with names starting with __proto__ or containing .__proto__.

  • Use network traffic inspection tools (e.g., Wireshark or tcpdump) to capture HTTP requests and filter for FormData fields containing '__proto__'.
  • On a Linux system, use grep to search application logs or captured HTTP request dumps for suspicious keys, for example: grep -r '__proto__' /path/to/logs
  • If you have access to the application code or runtime, add logging or validation to detect when FormData field names contain forbidden keys before parsing.
Mitigation Strategies

The primary mitigation is to upgrade the parse-nested-form-data module to version 1.0.1 or later, where the vulnerability is fixed.

Version 1.0.1 introduces checks that throw a ForbiddenKeyError when reserved keys like __proto__, constructor, or prototype are detected in FormData field names, preventing prototype pollution.

As a workaround before upgrading, validate and sanitize all FormData field names to reject or filter out any keys containing __proto__ or similar reserved property keys.

  • Update parse-nested-form-data to version 1.0.1 or later.
  • Implement input validation to reject FormData fields with names containing reserved keys.
  • Monitor application logs for any suspicious FormData field names indicating attempted exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45302. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart