CVE-2025-62381

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-62381
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62381.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-62381
Aliases
Published
2025-10-15T17:12:47.357Z
Modified
2026-04-02T12:57:50.177022Z
Severity
  • 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L CVSS Calculator
Summary
sveltekit-superforms Prototype Pollution in `parseFormData` function of `formData.js`
Details

sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial of service, type confusion, and potential remote code execution in downstream applications that rely on polluted objects. This vulnerability is fixed in 2.27.4.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62381.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1321"
    ]
}
References

Affected packages

Git / github.com/ciscoheat/sveltekit-superforms

Affected ranges

Type
GIT
Repo
https://github.com/ciscoheat/sveltekit-superforms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
34f1abf0c8992213c9bcc571c1f13e09b539db71

Affected versions

v2.*
v2.0.0
v2.1.0
v2.10.5
v2.10.6
v2.11.0
v2.12.0
v2.12.3
v2.12.6
v2.13.0
v2.13.1
v2.14.0
v2.15.0
v2.15.1
v2.15.2
v2.16.0
v2.16.1
v2.17.0
v2.18.0
v2.18.1
v2.19.0
v2.19.1
v2.2.0
v2.2.1
v2.20.1
v2.21.0
v2.21.1
v2.22.0
v2.22.1
v2.23.0
v2.24.0
v2.24.1
v2.25.0
v2.26.0
v2.26.1
v2.27.0
v2.27.1
v2.27.2
v2.27.3
v2.3.0
v2.4.0
v2.5.0
v2.6.0
v2.6.1
v2.7.0
v2.8.0
v2.9.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62381.json"