PatchSiren cyber security CVE debrief
CVE-2026-44483 airjp73 CVE debrief
## Summary A prototype pollution vulnerability in RVF (Remix Validated Form) allows attackers to pollute Object.prototype by submitting crafted form data with keys like `__proto__`, `constructor`, or `prototype`. The `setPath` function in `@rvf/set-get` fails to block these dangerous keys when flattening form data, enabling arbitrary property injection on the server. This is default-reachable: any endpoint using `parseFormData` or `createValidator` is affected without special configuration. ## Affected Versions - `@rvf/core` / `@rvf/set-get`: 6.0.0 to 6.0.3 (fixed in 6.0.4) - `@rvf/core` / `@rvf/set-get`: 7.0.0 to 7.0.1 (fixed in 7.0.2) ## Attack Vector Remote, unauthenticated attackers can exploit this by submitting HTTP POST requests with maliciously named form fields. The vulnerability is triggered through normal form processing pipelines (`preprocessFormData` → `setPath`). ## Impact - **Confidentiality**: None direct (CVSS C:N) - **Integrity**: High (CVSS I:H) — arbitrary object property injection - **Availability**: Low (CVSS A:L) — potential application instability from prototype corruption ## Recommended Actions 1. **Upgrade immediately** to patched versions (6.0.4+ or 7.0.2+) 2. **Audit applications** for any server-side logic dependent on Object.prototype integrity 3. **Implement input validation** as defense-in-depth for form field names 4. **Review dependencies** to identify transitive usage of `@rvf/core` or `@rvf/set-get` ## Timeline - **2026-05-27**: CVE published and initial disclosure - **2026-05-27**: CVE modified (metadata update)
- Vendor
- airjp73
- Product
- rvf
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-06-01
Who should care
Organizations running Remix or React Router applications with server-side form processing using RVF versions 6.0.0-6.0.3 or 7.0.0-7.0.1. This particularly affects applications using `parseFormData`, `createValidator`, or direct `@rvf/set-get` imports for form data transformation.
Technical summary
The `setPath` utility in `@rvf/set-get` traverses dot-notation paths to construct nested objects from flat form data. When processing paths containing `__proto__`, `constructor`, or `prototype` as segment names, the function assigns values directly to these properties rather than treating them as literal keys. This occurs because the implementation uses standard property access (`obj[key]`) without prototype pollution safeguards. The vulnerability propagates through `preprocessFormData`, which is invoked by `parseFormData` and validator creation flows, making it reachable from any form-handling endpoint in Remix/React Router applications using RVF.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to @rvf/core 6.0.4 or 7.0.2 or later
- Audit server-side code for Object.prototype dependencies
- Review all applications using parseFormData or createValidator
- Scan dependency trees for affected @rvf/set-get versions
Evidence notes
Vulnerability confirmed through GitHub Security Advisory GHSA-c567-44rc-m5hq. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L. CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes).
Official resources
-
CVE-2026-44483 CVE record
CVE.org
-
CVE-2026-44483 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27T17:16:39.510Z