HomeCVE Intelligence › CVE-2026-45302
CVSS 8.2 HIGH Vulnerability

CVE-2026-45302: parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names

Summary parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__.…

8.2CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-45302
Vendornpm
Affected Productparse-nested-form-data
Vulnerability TypeVulnerability
CVSS Score8.2 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process.

Details The vulnerability is in handlePathPart in src/index.ts, which performs currentObject[pathPart.path] and currentObject[pathPart.path] = val for object-type path segments without rejecting reserved keys. When the segment is __proto__, the read returns Object.prototype, which then becomes the next traversal target, and the next assignment lands on the prototype. Reproduction on a

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-45302 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence