Perceptive Security
SOC/SIEM Consultancy
form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects wit…
Published:
28 May 2026 at 22:00:00
Alert date:
29 May 2026 at 15:02:48
Source:
nvd.nist.gov
Supply Chain & Dependencies, Web Technologies
The form-data-objectizer npm package prior to version 1.0.1 contains a prototype pollution vulnerability. The library converts FormData to objects by walking bracket-notation form keys into nested objects without properly filtering dangerous properties like __proto__, constructor, or prototype. An attacker can exploit this by submitting HTTP form fields with names starting with __proto__[...], which causes the library to mutate Object.prototype and affects the entire Node.js process. This represents a critical security flaw that can lead to application-wide compromise. The vulnerability has been fixed in version 1.0.1.
Technical details
Mitigation steps:
Affected products:
form-data-objectizer
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-46510
https://github.com/kaspernj/form-data-objectizer/commit/7c54b99408e6e9cd6533b7245bf197dadc2a2dbc
https://github.com/kaspernj/form-data-objectizer/security/advisories/GHSA-m2hg-wjq3-28wq
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.