← voltar
CVE-2025-62381

sveltekit-superforms Prototype Pollution in `parseFormData` function of `formData.js`

CVSS 8.3 HIGHEPSS 0.5%CWE-1321
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 8.3EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
15 out 2025Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial of service, type confusion, and potential remote code execution in downstream applications that rely on polluted objects. This vulnerability is fixed in 2.27.4.
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L
Produtos afetados
ciscoheat · sveltekit-superforms

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/ciscoheat/sveltekit-superforms/commit/4a1310dd1a94176bb22036662c530dad48059ca4https://github.com/ciscoheat/sveltekit-superforms/security/advisories/GHSA-hwmc-4c8j-xxj7