parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot…

A prototype pollution vulnerability in the parse-nested-form-data Node.js module allows attackers to pollute Object.prototype by crafting FormData field names containing __proto__. The parseFormData() function fails to filter reserved property keys when processing bracket and dot-notation field names. This enables traversal onto Object.prototype and assignment of properties there, affecting all plain objects in the running process. The vulnerability was patched in version 1.0.1 of the module.