CVE-2026-45302 - Vulnerability Details

- Prototype Pollution in parse-nested-form-data via `__proto__` in FormData field names

Description

parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. This issue has been patched in version 1.0.1.

Published: 2026-06-01

Score: 8.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

parse-nested-form-data, a Node.js library that parses FormData into nested objects, has a prototype pollution flaw. Before version 1.0.1 the parser does not filter reserved property names, so a field beginning with __proto__ or containing .__proto__ causes Object.prototype to be extended. All plain objects in the process inherit those properties, compromising code that relies on the default prototype chain.

Affected Systems

The module milamer/parse-nested-form-data is affected. All releases older than version 1.0.1 are vulnerable. The flaw appears when a FormData field name begins with __proto__ or contains .__proto__ mid-path. Upgrading to v1.0.1 removes the issue.

Risk and Exploitability

The CVSS score is 8.2 indicating high severity. EPSS score is not available, and the lack of a KEV listing suggests no publicly known exploits yet. If an attacker can supply FormData to the vulnerable application the route can be exploited remotely, with significant impact on application integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

milamer

parse-nested-form-data

affected

Version	Status	Constraints
`< 1.0.1`	affected	—

No data.

Vendor Product Confidence Versions

Milamer

Parse-nested-form-data

100%

Version	Status	Scheme	Platform
`[0,1.0.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade parse-nested-form-data to version 1.0.1 or later.
If upgrading is not possible, sanitize all FormData field names to exclude __proto__ and other reserved keys before passing them to the parser.
Consider replacing parse-nested-form-data with a more actively maintained form data parsing library that implements proper prototype pollution defenses.

Generated by OpenCVE AI on June 1, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-xp7r-j8r6-j9h3	parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00315.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/milamer/parse-nested-form-data/commit/527ad58eb486e32438f7198fb88315c20449d792
https://github.com/milamer/parse-nested-form-data/releases/tag/v1.0.1
https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3

History

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Milamer Milamer parse-nested-form-data
Vendors & Products		Milamer Milamer parse-nested-form-data

Tue, 02 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. This issue has been patched in version 1.0.1.
Title		Prototype Pollution in parse-nested-form-data via `__proto__` in FormData field names
Weaknesses		CWE-1321
References		https://github.com/milamer/parse-nested-form-data/commit/527ad58eb486e32438f7198fb88315c20449d792 https://github.com/milamer/parse-nested-form-data/releases/tag/v1.0.1 https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}`

Subscriptions

Milamer Parse-nested-form-data

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-01T17:20:34.772Z

Updated: 2026-06-02T14:45:17.644Z

Reserved: 2026-05-11T20:14:43.202Z

Link: CVE-2026-45302

Vulnrichment

Updated: 2026-06-02T14:44:14.933Z

NVD

Status : Deferred

Published: 2026-06-01T19:16:51.113

Modified: 2026-06-02T16:16:41.663

Link: CVE-2026-45302

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T20:53:28Z

Weaknesses

CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object