HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45302Published Modified CNA GitHub_M

CVE-2026-45302: Prototype Pollution in parse-nested-form-data via `__proto__` in FormData field names

parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. This issue has been patched in version 1.0.1.

Metrics

CVSS v3.1
8.2
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Prototype pollution in the parse-nested-form-data Node.js module allows an unauthenticated remote attacker to corrupt the shared Object.prototype of the running process. The parser does not filter reserved property keys such as __proto__ when walking bracket or dot-notation FormData field names, so a single crafted HTTP form submission is enough to trigger the corruption. Successful exploitation lets the attacker tamper with application logic, inject unexpected properties into every plain object in the process, and may cause partial service disruption. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle parse-nested-form-data as a dependency.

Available
Triage

HarborGuard scores this finding at CVSS 8.2 HIGH and is capable of weighting it against each environment's compliance policy to determine urgency before routing the alert to the appropriate team inbox within the customer org.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. Until then, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for workloads that process untrusted FormData.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable parser is exposed over the network; an attacker can send a crafted FormData HTTP request from anywhere on the internet without needing LAN or physical access.

  • AuthenticationNot required

    No account or credential is needed; the malicious FormData field can be submitted by any unauthenticated HTTP client.

  • Victim interactionNot required

    No user action is required; the attacker sends the request directly to the service endpoint without any social engineering.

  • Attack complexityDetail

    The exploit is reliable and condition-free: placing __proto__ in a FormData field name is sufficient to trigger prototype pollution with no race conditions or special environmental setup.

Blast Radius

  • Injects arbitrary properties onto Object.prototype, silently changing the behavior of every plain object created in the same Node.js process for the lifetime of that process.
  • Overwrites or spoofs application-logic properties (such as role flags, feature toggles, or configuration keys) in code that reads from plain objects without hasOwnProperty guards.
  • Causes partial service disruption if injected properties break assumptions in framework internals or third-party libraries, leading to unhandled exceptions or degraded request handling.

How HarborGuard Handles This

Available on HarborGuard: because no fix version exists for this CVE yet, HarborGuard continuously re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically as soon as the maintainer publishes a remediated release. In the meantime, customers can use HarborGuard's policy engine to apply compensating controls: network-policy isolation rules can restrict which workloads are permitted to receive untrusted multipart form submissions, egress filtering can limit lateral movement if a process is compromised, and feature-flag gating can disable form-parsing endpoints in affected services until a fix is available. Findings at this severity are surfaced immediately in the customer dashboard with CVSS 8.2 HIGH scoring and routed to the configured team inbox for manual triage.

See how HarborGuard automates this
Affected packages
  • milamer / parse-nested-form-data
    < 1.0.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
References