Perceptive Security
SOC/SIEM Consultancy
parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot…
Published:
31 May 2026 at 22:00:00
Alert date:
1 June 2026 at 20:04:42
Source:
nvd.nist.gov
Supply Chain & Dependencies, Web Technologies
A prototype pollution vulnerability in the parse-nested-form-data Node.js module allows attackers to pollute Object.prototype by crafting FormData field names containing __proto__. The parseFormData() function fails to filter reserved property keys when processing bracket and dot-notation field names. This enables traversal onto Object.prototype and assignment of properties there, affecting all plain objects in the running process. The vulnerability was patched in version 1.0.1 of the module.
Technical details
Mitigation steps:
Affected products:
parse-nested-form-data
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-45302
https://github.com/milamer/parse-nested-form-data/commit/527ad58eb486e32438f7198fb88315c20449d792
https://github.com/milamer/parse-nested-form-data/releases/tag/v1.0.1
https://github.com/milamer/parse-nested-form-data/security/advisories/GHSA-xp7r-j8r6-j9h3
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.