Description
parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. This issue has been patched in version 1.0.1.
Published: 2026-06-01
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

parse-nested-form-data, a Node.js library that parses FormData into nested objects, has a prototype pollution flaw. Before version 1.0.1 the parser does not filter reserved property names, so a field beginning with __proto__ or containing .__proto__ causes Object.prototype to be extended. All plain objects in the process inherit those properties, compromising code that relies on the default prototype chain.

Affected Systems

The module milamer/parse-nested-form-data is affected. All releases older than version 1.0.1 are vulnerable. The flaw appears when a FormData field name begins with __proto__ or contains .__proto__ mid-path. Upgrading to v1.0.1 removes the issue.

Risk and Exploitability

The CVSS score is 8.2 indicating high severity. EPSS score is not available, and the lack of a KEV listing suggests no publicly known exploits yet. If an attacker can supply FormData to the vulnerable application the route can be exploited remotely, with significant impact on application integrity.

Generated by OpenCVE AI on June 1, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade parse-nested-form-data to version 1.0.1 or later.
  • If upgrading is not possible, sanitize all FormData field names to exclude __proto__ and other reserved keys before passing them to the parser.
  • Consider replacing parse-nested-form-data with a more actively maintained form data parsing library that implements proper prototype pollution defenses.

Generated by OpenCVE AI on June 1, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xp7r-j8r6-j9h3 parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names
History

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. This issue has been patched in version 1.0.1.
Title Prototype Pollution in parse-nested-form-data via `__proto__` in FormData field names
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T17:20:34.772Z

Reserved: 2026-05-11T20:14:43.202Z

Link: CVE-2026-45302

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T19:16:51.113

Modified: 2026-06-01T19:16:51.113

Link: CVE-2026-45302

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:15:15Z

Weaknesses