CVE-2026-45302

Source
https://cve.org/CVERecord?id=CVE-2026-45302
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45302.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45302
Aliases
Published
2026-06-01T17:20:34.772Z
Modified
2026-07-08T08:02:17.069901314Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L CVSS Calculator
Summary
Prototype Pollution in parse-nested-form-data via `__proto__` in FormData field names
Details

parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with proto, or contains .proto. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process. This issue has been patched in version 1.0.1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45302.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1321"
    ]
}
References

Affected packages

Git / github.com/milamer/parse-nested-form-data

Affected ranges

Type
GIT
Repo
https://github.com/milamer/parse-nested-form-data
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v1.*
v1.0.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45302.json"