tRPC has possible prototype pollution in `experimental_nextAppDirCaller`
tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. Versions 10.45.3 and 11.8.0 fix the issue.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-1321 | CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
Type: CWE
Description: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 4.0 | 8.5 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L |
Version: 4.0
Base score: 8.5
Base severity: HIGH
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L