CVE-2026-45302: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in milamer parse-nested-form-data
CVE-2026-45302 is a high-severity prototype pollution vulnerability in the Node. js module parse-nested-form-data prior to version 1. 0. 1. The vulnerability arises because the parseFormData() function does not filter reserved property keys when parsing FormData field names, allowing an attacker to modify Object. prototype properties. This can lead to modification of the prototype chain for all plain objects in the process, potentially causing unexpected behavior or security issues. The vulnerability has been patched in version 1. 0. 1.
AI Analysis
Technical Summary
The parse-nested-form-data Node.js module versions before 1.0.1 contain a prototype pollution vulnerability (CWE-1321) due to improper filtering of reserved keys like '__proto__' in FormData field names. When a FormData field name begins with '__proto__' or includes it mid-path, the parser assigns properties directly onto Object.prototype, polluting the prototype chain of all plain objects in the runtime environment. This can lead to arbitrary modification of object prototypes, impacting application integrity. The issue is fixed in version 1.0.1.
Potential Impact
Successful exploitation allows an attacker to modify the Object.prototype, which can affect all plain objects in the Node.js process. This can lead to unexpected behavior, potential denial of service, or other integrity issues in applications using vulnerable versions of parse-nested-form-data. The CVSS score of 8.2 reflects high impact on integrity with network attack vector and no required privileges or user interaction.
Mitigation Recommendations
Upgrade parse-nested-form-data to version 1.0.1 or later, where the vulnerability is patched. No other vendor advisory or patch information is available, so applying this official fix is the recommended remediation. Patch status is not explicitly stated but the description confirms the issue is fixed in 1.0.1.
CVE-2026-45302: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in milamer parse-nested-form-data
Description
CVE-2026-45302 is a high-severity prototype pollution vulnerability in the Node. js module parse-nested-form-data prior to version 1. 0. 1. The vulnerability arises because the parseFormData() function does not filter reserved property keys when parsing FormData field names, allowing an attacker to modify Object. prototype properties. This can lead to modification of the prototype chain for all plain objects in the process, potentially causing unexpected behavior or security issues. The vulnerability has been patched in version 1. 0. 1.
CVSS v3.1
Score 8.2high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The parse-nested-form-data Node.js module versions before 1.0.1 contain a prototype pollution vulnerability (CWE-1321) due to improper filtering of reserved keys like '__proto__' in FormData field names. When a FormData field name begins with '__proto__' or includes it mid-path, the parser assigns properties directly onto Object.prototype, polluting the prototype chain of all plain objects in the runtime environment. This can lead to arbitrary modification of object prototypes, impacting application integrity. The issue is fixed in version 1.0.1.
Potential Impact
Successful exploitation allows an attacker to modify the Object.prototype, which can affect all plain objects in the Node.js process. This can lead to unexpected behavior, potential denial of service, or other integrity issues in applications using vulnerable versions of parse-nested-form-data. The CVSS score of 8.2 reflects high impact on integrity with network attack vector and no required privileges or user interaction.
Mitigation Recommendations
Upgrade parse-nested-form-data to version 1.0.1 or later, where the vulnerability is patched. No other vendor advisory or patch information is available, so applying this official fix is the recommended remediation. Patch status is not explicitly stated but the description confirms the issue is fixed in 1.0.1.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-11T20:14:43.202Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1de306e29bf47b503a5590
Added to database: 6/1/2026, 7:52:38 PM
Last enriched: 6/1/2026, 8:03:57 PM
Last updated: 6/2/2026, 4:59:43 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.