CVE-2025-62381
8.3
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L
Summary
sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial of service, type confusion, and potential remote code execution in downstream applications that rely on polluted objects. This vulnerability is fixed in 2.27.4.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ciscoheat | sveltekit-superforms | < 2.27.4 | affected |
Weaknesses
- CWE-1321: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://github.com/ciscoheat/sveltekit-superforms/security/advisories/GHSA-hwmc-4c8j-xxj7
- https://github.com/ciscoheat/sveltekit-superforms/commit/4a1310dd1a94176bb22036662c530dad48059ca4
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.