parse-nested-form-data Prototype Pollution Vulnerability

A prototype pollution vulnerability exists in the parse-nested-form-data module, specifically in versions prior to 1.0.1. The issue arises because the parseFormData() function does not properly filter reserved property keys in FormData field names. This oversight allows an attacker to manipulate the Object.prototype by crafting specific field names, leading to unintended consequences in the application's prototype chain. The vulnerability can be exploited by sending FormData with names that include '__proto__', either as a top-level key or nested within an array.

Impact

Exploitation of this vulnerability allows for unauthorized modification of the Object.prototype, which can lead to prototype pollution. This could disrupt the application's state, interfere with control flow in code that relies on object properties, and potentially cause a denial-of-service condition.

Reproduction

To reproduce this vulnerability, create a FormData object and append a field with a name that starts with '__proto__' or includes '.__proto__.' in the middle. Then, pass this FormData object to the parseFormData() function. After parsing, the polluted property will be accessible on any plain object in the current JavaScript environment.

Remediation

Users are advised to upgrade to parse-nested-form-data version 1.0.1 or later, where this vulnerability has been fixed. If an immediate upgrade is not possible, validate FormData field names to ensure they do not contain forbidden keys like '__proto__', 'constructor', or 'prototype' before processing the data with parseFormData().