CVE-2026-46510: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in kaspernj form-data-objectizer
CVE-2026-46510 is a high-severity prototype pollution vulnerability in the kaspernj form-data-objectizer library versions prior to 1. 0. 1. The library converts FormData to nested objects by parsing bracket-notation keys but fails to filter special keys like __proto__, constructor, or prototype. This allows an attacker to modify Object. prototype in the Node. js process by submitting a specially crafted form field starting with __proto__[... ]. This vulnerability can lead to integrity issues in the application using the library. The issue is fixed in version 1.
AI Analysis
Technical Summary
The form-data-objectizer library before version 1.0.1 improperly handles bracket-notation form keys by not filtering out __proto__, constructor, or prototype keys. This allows an attacker to perform prototype pollution by submitting form fields that mutate Object.prototype, affecting the entire Node.js process. Prototype pollution can lead to unexpected behavior or security issues in applications relying on this library. The vulnerability is identified as CWE-1321 and has a CVSS 3.1 score of 8.2 (high severity). The vulnerability is fixed in version 1.0.1 by properly filtering these keys.
Potential Impact
An attacker can submit specially crafted HTTP form data that modifies the Object.prototype in the Node.js environment where form-data-objectizer is used. This can lead to integrity violations and potentially affect application logic or security controls relying on object properties. The CVSS score of 8.2 reflects a high impact on integrity with low attack complexity and no required privileges or user interaction. There are no reports of known exploits in the wild at this time.
Mitigation Recommendations
Upgrade form-data-objectizer to version 1.0.1 or later, where the vulnerability is fixed by filtering out __proto__, constructor, and prototype keys during object construction. Since no official vendor advisory or patch link is provided, rely on upgrading to the fixed version as the primary remediation. Patch status is not explicitly confirmed beyond the version update; check the vendor repository or release notes for confirmation.
CVE-2026-46510: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in kaspernj form-data-objectizer
Description
CVE-2026-46510 is a high-severity prototype pollution vulnerability in the kaspernj form-data-objectizer library versions prior to 1. 0. 1. The library converts FormData to nested objects by parsing bracket-notation keys but fails to filter special keys like __proto__, constructor, or prototype. This allows an attacker to modify Object. prototype in the Node. js process by submitting a specially crafted form field starting with __proto__[... ]. This vulnerability can lead to integrity issues in the application using the library. The issue is fixed in version 1.
CVSS v3.1
Score 8.2high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The form-data-objectizer library before version 1.0.1 improperly handles bracket-notation form keys by not filtering out __proto__, constructor, or prototype keys. This allows an attacker to perform prototype pollution by submitting form fields that mutate Object.prototype, affecting the entire Node.js process. Prototype pollution can lead to unexpected behavior or security issues in applications relying on this library. The vulnerability is identified as CWE-1321 and has a CVSS 3.1 score of 8.2 (high severity). The vulnerability is fixed in version 1.0.1 by properly filtering these keys.
Potential Impact
An attacker can submit specially crafted HTTP form data that modifies the Object.prototype in the Node.js environment where form-data-objectizer is used. This can lead to integrity violations and potentially affect application logic or security controls relying on object properties. The CVSS score of 8.2 reflects a high impact on integrity with low attack complexity and no required privileges or user interaction. There are no reports of known exploits in the wild at this time.
Mitigation Recommendations
Upgrade form-data-objectizer to version 1.0.1 or later, where the vulnerability is fixed by filtering out __proto__, constructor, and prototype keys during object construction. Since no official vendor advisory or patch link is provided, rely on upgrading to the fixed version as the primary remediation. Patch status is not explicitly confirmed beyond the version update; check the vendor repository or release notes for confirmation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-14T19:12:32.754Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a199940e29bf47b50eaf832
Added to database: 5/29/2026, 1:48:48 PM
Last enriched: 5/29/2026, 2:03:33 PM
Last updated: 5/29/2026, 2:55:47 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.