CVE-2026-46510 kaspernj CVE debrief

Who should care

Organizations using form-data-objectizer versions prior to 1.0.1 in Node.js applications that process untrusted form data. This includes web applications, API services, and any server-side code handling multipart/form-data or URL-encoded form submissions.

Technical summary

The form-data-objectizer library converts FormData to JavaScript objects. When processing bracket-notation keys (e.g., `name[sub]`), the library recursively builds nested objects without validating against dangerous property names. A form field named `__proto__[polluted]` causes assignment to `Object.prototype.polluted`, polluting the prototype chain for all objects in the Node.js process. This enables attackers to modify application behavior, potentially leading to denial of service or code execution depending on application logic.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade form-data-objectizer to version 1.0.1 or later
• Validate and sanitize all incoming form field names before processing
• Implement input filtering to reject keys containing `__proto__`, `constructor`, or `prototype`
• Review application code for prototype pollution patterns if using affected versions
• Monitor for suspicious form submissions with bracket-notation keys targeting prototype properties

Evidence notes

The vulnerability exists in form-data-objectizer versions prior to 1.0.1. The root cause is improper filtering of special property names (`__proto__`, `constructor`, `prototype`) when parsing bracket-notation form keys. The fix commit 7c54b99408e6e9cd6533b7245bf197dadc2a2dbc addresses this issue.

Official resources