tRPC Prototype Pollution Vulnerability in @trpc/server FormData Processing

A prototype pollution vulnerability has been identified in the @trpc/server package, specifically in versions 10.27.0 prior to 10.45.3 and 11.8.0. The issue arises in the formDataToObject function, which is utilized by the Next.js App Router adapter. This vulnerability allows an attacker to manipulate Object.prototype by sending specially crafted FormData field names. The exploitation of this vulnerability could lead to authorization bypass, denial of service, or other security issues. It is important to note that the vulnerability only occurs when using experimental_caller or experimental_nextAppDirCaller.

Impact

Exploitation of this vulnerability can bypass authorization checks and cause denial-of-service conditions by disrupting application functionality.

Reproduction

To reproduce this vulnerability, create a Next.js application that uses the tRPC library version 11.7.2. In a server action, submit a FormData object with field names that include prototype-related keys, such as '__proto__[isAdmin]' and '__proto__[role]'. When the FormData is processed by the tRPC mutation, the Object.prototype will be polluted with the values from the FormData, bypassing authorization checks that rely on prototype properties.

Remediation

Users can upgrade to tRPC version 10.45.3 or 11.8.0, both of which address this vulnerability.