Description
RVF (formerly Remix Validated Form) provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the keys __proto__, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData / validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on Object.prototype of the running server process. This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator is affected. This vulnerability is fixed in 6.0.4 and 7.0.2.
Published: 2026-05-27
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is prototype pollution in the setPath function of @rvf/set-get, which does not filter the keys __proto__, constructor, or prototype when resolving a path. When form data is parsed by the library, attacker-controlled field names can be supplied directly to setPath, allowing the attacker to set arbitrary properties on Object.prototype of the server process. This flaw can lead to the execution of arbitrary code or other malicious behaviour on the server, compromising the confidentiality, integrity, and availability of the application.

Affected Systems

The issue affects the JavaScript libraries @rvf/set-get and the airjp73:rvf bundle. Vulnerable versions are all releases from 6.0.0 up to, but not including, 6.0.4, and from 7.0.0 up to, but not including, 7.0.2. Applications using Remix or React Router that process form data through parseFormData or validators created with createValidator are impacted.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. The EPSS is not provided, and the vulnerability is not listed in the CISA KEV catalog, so current exploit evidence is unclear. The likely attack vector is a legitimate HTTP form submission to a Remix / React Router application that incorporates the vulnerable library, since no special configuration is required to trigger the primitive.

Generated by OpenCVE AI on May 27, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @rvf/set-get and airjp73:rvf to version 6.0.4 or 7.0.2 or newer.
  • Validate incoming form field names on the server side to reject keys like __proto__, constructor, and prototype before they reach the library.
  • Limit form processing to trusted sources and monitor for unexpected Object.prototype modifications in application logs.

Generated by OpenCVE AI on May 27, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c567-44rc-m5hq @rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)
History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Airjp73
Airjp73 rvf
Vendors & Products Airjp73
Airjp73 rvf

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description RVF (formerly Remix Validated Form) provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the keys __proto__, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData / validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on Object.prototype of the running server process. This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator is affected. This vulnerability is fixed in 6.0.4 and 7.0.2.
Title RVF: Prototype pollution in @rvf/set-get reachable via @rvf/core preprocessFormData (HTTP form data)
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Airjp73 Rvf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T18:48:41.768Z

Reserved: 2026-05-06T17:18:51.783Z

Link: CVE-2026-44483

cve-icon Vulnrichment

Updated: 2026-05-27T18:48:08.940Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T17:16:39.510

Modified: 2026-06-17T10:50:42.417

Link: CVE-2026-44483

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:50:32Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')