sveltekit-superforms Prototype Pollution in `parseFormData` function of `formData.js`_CVE-2025-62381

8.3 / 10

HIGH

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L

Description

sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial of service, type confusion, and potential remote code execution in downstream applications that rely on polluted objects. This vulnerability is fixed in 2.27.4.

Basic Information

ID CVE-2025-62381

Source GitHub_M

Published Oct 15, 2025 at 17:12

Affected Product

Vendor ciscoheat

Product sveltekit-superforms

Version < 2.27.4

Affected Versions ciscoheat sveltekit-superforms < 2.27.4

CWE Classification

CWE-1321

References

{
    "lastseen": "",
    "description": "sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial of service, type confusion, and potential remote code execution in downstream applications that rely on polluted objects. This vulnerability is fixed in 2.27.4.",
    "published": "2025-10-15T17:12:47.357Z",
    "modified": "2025-10-15T17:12:47.357Z",
    "type": "cve",
    "title": "sveltekit-superforms Prototype Pollution in `parseFormData` function of `formData.js`",
    "source": "GitHub_M",
    "references": "https://github.com/ciscoheat/sveltekit-superforms/security/advisories/GHSA-hwmc-4c8j-xxj7\nhttps://github.com/ciscoheat/sveltekit-superforms/commit/4a1310dd1a94176bb22036662c530dad48059ca4",
    "id": "CVE-2025-62381",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1321"
    ],
    "cvelist": null,
    "sourceData": "ciscoheat sveltekit-superforms < 2.27.4",
    "sourceHref": "",
    "cvss": {
        "score": 8.3,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "sveltekit-superforms",
    "version": "< 2.27.4",
    "vendor": "ciscoheat",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}