GHSA-C567-44RC-M5HQ

Vulnerability from github – Published: 2026-05-11 16:09 – Updated: 2026-05-11 16:09
VLAI
Summary
@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)
Details

Summary

setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the keys __proto__, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData / validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on Object.prototype of the running server process.

This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator is affected.

Affected versions

  • @rvf/set-get < 7.0.2 (7.x line)
  • @rvf/set-get < 6.0.4 (6.x line)

Reached through @rvf/core versions that depend on a vulnerable @rvf/set-get (current 8.1.0 resolves to 7.0.1 without the override).

Patched

  • @rvf/set-get 7.0.2
  • @rvf/set-get 6.0.4

The fix adds a REJECT_KEYS blocklist (__proto__, constructor, prototype) and throws when one is encountered while walking a path inside setPath.

Proof of concept

Install a vulnerable resolution and run on Node 18+:

{
  "dependencies": { "@rvf/core": "8.1.0" },
  "overrides": { "@rvf/set-get": "7.0.1" }
}

const { preprocessFormData } = require('@rvf/core');

const form = new FormData();
form.append("username", "alice");
form.append("__proto__[polluted]", "yes");

preprocessFormData(form);
console.log(({}).polluted); // -> 'yes'

The field name __proto__[polluted] is the kind of value an attacker can submit from any HTML form or HTTP client. After the call, every plain object in the process inherits polluted = 'yes'.

A second working payload is constructor.prototype.<key>=<value>, which goes through setPath walking constructor then prototype.

Impact

  • Any property assignable on Object.prototype of the server process, set by a single unauthenticated HTTP request.
  • Persists for the life of the worker process and affects every subsequent request handled by the same process.
  • Direct downstream consequences depend on the host application and the rest of its dependency tree, but typical risks include: bypassing if (obj.isAdmin) style checks, injecting unintended config values into objects merged with user input, breaking template rendering, and crashing the worker by polluting properties used by other libraries (DoS).
  • Worth noting: the visible output of preprocessFormData does not contain the malicious key, so the attack leaves no obvious trace in request logs that show parsed bodies.

CVSS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L (8.2, High)

Integrity is High because the primitive lets the attacker change the meaning of property reads on every object in the process. Confidentiality is None and Availability is Low without a named downstream gadget; both could be higher in a specific consuming app.

Remediation for users

Upgrade to @rvf/set-get 7.0.2 or 6.0.4. If you cannot upgrade @rvf/core directly, an npm / pnpm override on @rvf/set-get works.

Credit

Reported by Mohamed Bassia (@0xBassia).

Severity
8.2 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@rvf/set-get"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@rvf/set-get"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:09:40Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`setPath` in `@rvf/set-get` (used by `@rvf/core` to flatten incoming form data into a nested object) does not block the keys `__proto__`, `constructor`, or `prototype` when walking a path. Because field names in submitted form data are passed directly to `setPath` via `preprocessFormData` (and through `parseFormData` / `validate`), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on `Object.prototype` of the running server process.\n\nThis is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via `parseFormData` or runs a validator created with `createValidator` is affected.\n\n## Affected versions\n\n- `@rvf/set-get` `\u003c 7.0.2` (7.x line)\n- `@rvf/set-get` `\u003c 6.0.4` (6.x line)\n\nReached through `@rvf/core` versions that depend on a vulnerable `@rvf/set-get` (current `8.1.0` resolves to `7.0.1` without the override).\n\n## Patched\n\n- `@rvf/set-get` `7.0.2`\n- `@rvf/set-get` `6.0.4`\n\nThe fix adds a `REJECT_KEYS` blocklist (`__proto__`, `constructor`, `prototype`) and throws when one is encountered while walking a path inside `setPath`.\n\n## Proof of concept\n\nInstall a vulnerable resolution and run on Node 18+:\n\n```json\n{\n  \"dependencies\": { \"@rvf/core\": \"8.1.0\" },\n  \"overrides\": { \"@rvf/set-get\": \"7.0.1\" }\n}\n```\n\n```js\nconst { preprocessFormData } = require(\u0027@rvf/core\u0027);\n\nconst form = new FormData();\nform.append(\"username\", \"alice\");\nform.append(\"__proto__[polluted]\", \"yes\");\n\npreprocessFormData(form);\nconsole.log(({}).polluted); // -\u003e \u0027yes\u0027\n```\n\nThe field name `__proto__[polluted]` is the kind of value an attacker can submit from any HTML form or HTTP client. After the call, every plain object in the process inherits `polluted = \u0027yes\u0027`.\n\nA second working payload is `constructor.prototype.\u003ckey\u003e=\u003cvalue\u003e`, which goes through `setPath` walking `constructor` then `prototype`.\n\n## Impact\n\n- Any property assignable on `Object.prototype` of the server process, set by a single unauthenticated HTTP request.\n- Persists for the life of the worker process and affects every subsequent request handled by the same process.\n- Direct downstream consequences depend on the host application and the rest of its dependency tree, but typical risks include: bypassing `if (obj.isAdmin)` style checks, injecting unintended config values into objects merged with user input, breaking template rendering, and crashing the worker by polluting properties used by other libraries (DoS).\n- Worth noting: the visible output of `preprocessFormData` does not contain the malicious key, so the attack leaves no obvious trace in request logs that show parsed bodies.\n\n## CVSS\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L` (8.2, High)\n\nIntegrity is High because the primitive lets the attacker change the meaning of property reads on every object in the process. Confidentiality is None and Availability is Low without a named downstream gadget; both could be higher in a specific consuming app.\n\n## Remediation for users\n\nUpgrade to `@rvf/set-get` `7.0.2` or `6.0.4`. If you cannot upgrade `@rvf/core` directly, an `npm` / `pnpm` override on `@rvf/set-get` works.\n\n## Credit\n\nReported by Mohamed Bassia (@0xBassia).",
  "id": "GHSA-c567-44rc-m5hq",
  "modified": "2026-05-11T16:09:40Z",
  "published": "2026-05-11T16:09:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/airjp73/rvf/security/advisories/GHSA-c567-44rc-m5hq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/airjp73/rvf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@rvf/set-get has a prototype pollution issue that\u0027s reachable via @rvf/core preprocessFormData (HTTP form data)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.