Vulnerability Description
tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. Versions 10.45.3 and 11.8.0 fix the issue.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2025-68130?
CVE-2025-68130 is a documented vulnerability. tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerabili...
How severe is CVE-2025-68130?
CVSS scoring is not yet available for CVE-2025-68130. Check NVD for updates.
Is there a patch for CVE-2025-68130?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.