Vulnerability Description
sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial of service, type confusion, and potential remote code execution in downstream applications that rely on polluted objects. This vulnerability is fixed in 2.27.4.
Related Weaknesses (CWE)
References
- https://github.com/ciscoheat/sveltekit-superforms/commit/4a1310dd1a94176bb220366
- https://github.com/ciscoheat/sveltekit-superforms/security/advisories/GHSA-hwmc-
- https://github.com/ciscoheat/sveltekit-superforms/security/advisories/GHSA-hwmc-
FAQ
What is CVE-2025-62381?
CVE-2025-62381 is a documented vulnerability. sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formDat...
How severe is CVE-2025-62381?
CVSS scoring is not yet available for CVE-2025-62381. Check NVD for updates.
Is there a patch for CVE-2025-62381?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.