Home

Description

tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. Versions 10.45.3 and 11.8.0 fix the issue.

PUBLISHED Reserved 2025-12-15 | Published 2025-12-16 | Updated 2025-12-16 | Assigner GitHub_M




HIGH: 8.5CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L

Problem types

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Product status

>= 10.27.0, < 10.45.3
affected

>= 11.0.0, < 11.8.0
affected

References

github.com/trpc/trpc/security/advisories/GHSA-43p4-m455-4f4j

cve.org (CVE-2025-68130)

nvd.nist.gov (CVE-2025-68130)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.