Description
form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process. This vulnerability is fixed in 1.0.1.
Published: 2026-05-29
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a prototype pollution flaw in the form-data-objectizer library, where unfiltered bracket-notation keys beginning with __proto__ can modify Object.prototype. This compromise of fundamental JavaScript prototypes could allow an attacker to alter behavior across the entire Node.js process, potentially leading to arbitrary code execution or privilege escalation. The weakness corresponds to CWE‑1321, indicating uncontrolled modification of an object's prototype.

Affected Systems

The affected product is the Kaspernj Form Data Objectizer library, versions prior to 1.0.1. Any Node.js application that depends on this library and processes form-data with bracket notation is vulnerable.

Risk and Exploitability

The CVSS score of 8.2 marks this as a high‑severity flaw. The EPSS score is not available, so the current likelihood of exploitation cannot be quantified, and it is not listed in CISA KEV. The likely attack vector is inferred to be an HTTP form submission to an application that uses form-data-objectizer, as the flaw is triggered by form keys supplied in a request. Without additional mitigation, an attacker who succeeds in sending a malicious form could alter Object.prototype and thereby affect the entire Node.js runtime.

Generated by OpenCVE AI on May 29, 2026 at 15:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade form-data-objectizer to version 1.0.1 or later, which removes the prototype pollution path.
  • Validate or sanitize form field names in incoming requests to reject keys that begin with __proto__, constructor, or prototype before conversion.
  • Audit existing code that imports form-data-objectizer and ensure that no legacy versions remain on any deployed runtime.

Generated by OpenCVE AI on May 29, 2026 at 15:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m2hg-wjq3-28wq form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys
History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Kaspernj
Kaspernj form-data-objectizer
Vendors & Products Kaspernj
Kaspernj form-data-objectizer

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process. This vulnerability is fixed in 1.0.1.
Title Prototype pollution in form-data-objectizer via bracket-notation form keys
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Kaspernj Form-data-objectizer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T13:40:22.772Z

Reserved: 2026-05-14T19:12:32.754Z

Link: CVE-2026-46510

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-29T14:16:31.807

Modified: 2026-05-29T14:16:31.807

Link: CVE-2026-46510

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:46:27Z

Weaknesses