Description

parse-nested-form-data has Prototype Pollution via __proto__ in FormData field names

Summary

parseFormData() walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with __proto__, or contains .__proto__. mid-path, causes the parser to traverse onto Object.prototype and assign properties there, polluting the prototype chain of every plain object in the running process.

Details

The vulnerability is in handlePathPart in src/index.ts, which performs currentObject[pathPart.path] and currentObject[pathPart.path] = val for object-type path segments without rejecting reserved keys. When the segment is __proto__, the read returns Object.prototype, which then becomes the next traversal target, and the next assignment lands on the prototype.

Reproduction on a fresh install of [email protected]:

import { parseFormData } from 'parse-nested-form-data';
const fd = new FormData();
fd.append('__proto__.polluted', 'yes');
parseFormData(fd);
console.log(({}).polluted); // -> 'yes'
console.log(([]).polluted); // -> 'yes'

Equivalent vectors:

__proto__[polluted]=yes

a.__proto__.polluted=yes (mid-path traversal)

a[0].__proto__.polluted=yes (mid-path through an array element)

constructor.prototype.x was incidentally blocked by an existing duplicate-key guard (because Object is a function and failed the JSON-object check), but relying on that was fragile, so the fix denylists constructor and prototype as well as __proto__. The array branch (a[0], a[]) was not exploitable in practice - the regex restricts array-index segments to digit characters - but the forbidden-key check is applied before the object/array type branching as defense in depth, so any future change to the regex cannot reintroduce the issue.

Impact

Any application that passes attacker-controlled FormData (or any Iterable<[string, string | File]>) to parseFormData() - typically an HTTP server processing form submissions - allows an unauthenticated remote client to mutate Object.prototype of the running process via a single field name. Concrete consequences depend on the host application and may include corrupted application state, altered control flow in code that reads ambient properties off objects, and denial of service.

Patches

Fixed in 1.0.1. handlePathPart now throws a new ForbiddenKeyError (also exported) when any path segment is __proto__, constructor, or prototype, regardless of whether the segment would be used as an object key or an array index. The check runs before object/array type branching for defense in depth.

Upgrade:

npm install parse-nested-form-data@^1.0.1

Workarounds

If upgrading is not possible, validate field names before calling parseFormData():

const FORBIDDEN = /(^|\.)(__proto__|constructor|prototype)($|[.[])/;
for (const [name] of formData.entries()) {
  if (FORBIDDEN.test(name)) throw new Error('Unsafe field name');
}

Resources

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Fix commit: 527ad58eb486e32438f7198fb88315c20449d792

Mitigation

Aliases

References