How is CVE-2026-44483 exploited?

Network reachability (required): The attacker must reach the application's HTTP form-handling endpoints over the network; any internet-exposed or internally networked Remix or React Router app using parseFormData or createValidator is in scope. Authentication (not-required): No account or session credential is required; the vulnerability is triggered by a standard unauthenticated HTTP form submission. Victim interaction (not-required): No user action is needed on the server side; the attacker interacts directly with the endpoint. Attack complexity (info): Exploitation is reliable and condition-free: no race condition, memory-layout dependency, or special server configuration is required beyond the affected library version being in use.

What is the impact of CVE-2026-44483?

Attacker injects arbitrary properties onto Object.prototype of the server Node.js process, affecting all objects created in that runtime for the lifetime of the process. Polluted prototype properties can override security checks, authentication flags, or feature guards in application code that reads inherited object properties, enabling privilege escalation or authorization bypass within the app. Application logic relying on property existence checks (e.g., hasOwnProperty patterns or default-value lookups) may behave incorrectly, leading to corrupted data writes or unexpected behavior in downstream business logic. Malformed prototype state can cause runtime exceptions in third-party libraries or framework internals sharing the same process, degrading or crashing the service.

Back to search

HIGHCVE-2026-44483Published 2026-05-27Modified 2026-05-27CNA GitHub_M

CVE-2026-44483: RVF: Prototype pollution in @rvf/set-get reachable via @rvf/core preprocessFormData (HTTP form data)

Q: Is CVE-2026-44483 patched?

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment versions 6.0.4 or 7.0.2 (or later) are released upstream. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the fix is available.

RVF (formerly Remix Validated Form) provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the keys __proto__, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData / validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on Object.prototype of the running server process. This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator is affected. This vulnerability is fixed in 6.0.4 and 7.0.2.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Prototype pollution in the @rvf/set-get package, used by @rvf/core in the RVF (Remix Validated Form) library, allows an unauthenticated remote attacker to inject arbitrary properties onto the JavaScript runtime's Object.prototype by submitting a crafted HTTP form. The vulnerability is reachable over the network with no authentication and no user interaction required, because field names from incoming form data are passed directly to the setPath function without filtering reserved keys such as __proto__, constructor, or prototype. Successful exploitation lets an attacker tamper with shared server-side state, corrupt business logic that relies on inherited object properties, or degrade service availability. No fix versions have been published yet; HarborGuard tracks this advisory for patch availability and will make a patched-image rebuild available as soon as an upstream fix ships.

HarborGuard Coverage

Detection

Detection of CVE-2026-44483 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that vendor or bundle @rvf/set-get or @rvf/core at affected versions (>=6.0.0 <6.0.4 or >=7.0.0 <7.0.2).

Available

Triage

HarborGuard is capable of surfacing this CVE with its CVSS v3.1 score of 8.2 (HIGH), weighting it against each customer environment's compliance policy to determine urgency, and routing the finding to the appropriate team inbox within the affected organization.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment versions 6.0.4 or 7.0.2 (or later) are released upstream. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the application's HTTP form-handling endpoints over the network; any internet-exposed or internally networked Remix or React Router app using parseFormData or createValidator is in scope.
AuthenticationNot required
No account or session credential is required; the vulnerability is triggered by a standard unauthenticated HTTP form submission.
Victim interactionNot required
No user action is needed on the server side; the attacker interacts directly with the endpoint.
Attack complexityDetail
Exploitation is reliable and condition-free: no race condition, memory-layout dependency, or special server configuration is required beyond the affected library version being in use.

Blast Radius

Attacker injects arbitrary properties onto Object.prototype of the server Node.js process, affecting all objects created in that runtime for the lifetime of the process.
Polluted prototype properties can override security checks, authentication flags, or feature guards in application code that reads inherited object properties, enabling privilege escalation or authorization bypass within the app.
Application logic relying on property existence checks (e.g., hasOwnProperty patterns or default-value lookups) may behave incorrectly, leading to corrupted data writes or unexpected behavior in downstream business logic.
Malformed prototype state can cause runtime exceptions in third-party libraries or framework internals sharing the same process, degrading or crashing the service.

How HarborGuard Handles This

Available on HarborGuard: continuous advisory monitoring is active for CVE-2026-44483 across all customer environments scanning images that include @rvf/set-get or @rvf/core at affected versions. Because no upstream patch exists yet, HarborGuard re-checks the advisory on every ingest cycle; a patched-image rebuild will become available automatically once versions 6.0.4 or 7.0.2 ship upstream. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention at that point. In the interim, compensating controls worth considering include restricting network access to form-accepting endpoints via network policy, validating and rejecting field names matching __proto__, constructor, or prototype at an API gateway or WAF layer before requests reach the application, and pinning the affected service to a read-only filesystem where possible to limit the impact of prototype state corruption.

See how HarborGuard automates this

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 2

Affected packages

airjp73 / rvf
>= 7.0.0, < 7.0.2 · >= 6.0.0, < 6.0.4
@rvf / set-get
>= 7.0.0, < 7.0.2 · >= 6.0.0, < 6.0.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

References

https://github.com/airjp73/rvf/security/advisories/GHSA-c567-44rc-m5hq