CVE-2025-68130 Overview
CVE-2025-68130 is a prototype pollution vulnerability in @trpc/server, a library that enables developers to build end-to-end typesafe APIs without schemas or code generation. The flaw resides in the formDataToObject function used by the Next.js App Router adapter. Attackers can pollute Object.prototype by submitting crafted FormData field names. Successful exploitation can lead to authorization bypass, denial of service, or other security impacts depending on application logic. The vulnerability is only exploitable when applications use experimental_caller or experimental_nextAppDirCaller. Affected versions include tRPC 10.27.0 through versions prior to 10.45.3 and 11.8.0.
Critical Impact
Unauthenticated or low-privilege attackers can modify Object.prototype over the network, enabling authorization bypass and denial of service in Next.js applications using the experimental tRPC App Router caller.
Affected Products
- @trpc/server versions 10.27.0 through 10.45.2
- @trpc/server versions 11.0.0 through 11.7.x
- Next.js applications using experimental_caller or experimental_nextAppDirCaller
Discovery Timeline
- 2025-12-16 - CVE-2025-68130 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-68130
Vulnerability Analysis
The vulnerability is classified as prototype pollution [CWE-1321]. The formDataToObject helper in @trpc/server converts incoming FormData entries into a plain JavaScript object. The function recursively assigns nested keys derived from field names without filtering reserved property names such as __proto__, constructor, or prototype.
An attacker submitting a FormData payload whose field name includes a bracketed __proto__ segment can write arbitrary properties onto Object.prototype. Every object in the running Node.js process then inherits those polluted properties. Depending on how downstream code reads object properties, the pollution can flip authorization flags, override role checks, or trigger crashes through unexpected property types.
The vulnerability only manifests in applications that wire tRPC into the Next.js App Router using the experimental_caller or experimental_nextAppDirCaller integrations. Server actions and form submissions routed through these callers feed user-controlled FormData directly into the vulnerable parser.
Root Cause
The root cause is missing key validation during recursive property assignment in formDataToObject. The function trusts FormData field names to map onto safe object keys without rejecting prototype-related identifiers.
Attack Vector
Exploitation requires sending an HTTP POST request with a multipart/form-data or application/x-www-form-urlencoded body to any endpoint backed by the experimental Next.js App Router caller. Field names referencing __proto__ or constructor.prototype along with attacker-chosen values are sufficient to mutate the global prototype.
The vulnerability mechanism is described in the tRPC GitHub Security Advisory GHSA-43p4-m455-4f4j. No verified public proof-of-concept code is currently available.
Detection Methods for CVE-2025-68130
Indicators of Compromise
- HTTP request bodies containing FormData field names with __proto__, constructor, or prototype substrings targeting Next.js server actions.
- Unexpected application behavior such as unauthorized access to protected routes or crashes after handling form submissions.
- Node.js runtime errors referencing properties that were never explicitly set on application objects.
Detection Strategies
- Inspect web server and reverse proxy logs for request bodies containing __proto__[, constructor[prototype], or URL-encoded equivalents (%5F%5Fproto%5F%5F).
- Audit application dependencies for @trpc/server versions in the affected range and confirm whether experimental_caller or experimental_nextAppDirCaller is in use.
- Add runtime guards that snapshot Object.prototype properties at startup and alert on additions during request handling.
Monitoring Recommendations
- Forward Next.js application logs and WAF telemetry to a centralized SIEM for retrospective hunting on prototype pollution patterns.
- Monitor for sudden increases in 5xx responses or anomalous authorization decisions on tRPC routes.
- Track outbound process behavior on Next.js servers to identify post-exploitation activity following pollution attempts.
How to Mitigate CVE-2025-68130
Immediate Actions Required
- Upgrade @trpc/server to version 10.45.3 if on the 10.x branch, or to 11.8.0 if on the 11.x branch.
- Audit codebases for usage of experimental_caller and experimental_nextAppDirCaller and prioritize patching those services first.
- Deploy WAF rules that block request bodies containing __proto__, constructor[prototype], or prototype[ patterns in field names.
Patch Information
The tRPC maintainers released fixes in @trpc/server 10.45.3 and 11.8.0. Both patched releases sanitize FormData keys before recursive assignment in formDataToObject. Upgrade details are documented in the tRPC GitHub Security Advisory GHSA-43p4-m455-4f4j.
Workarounds
- Disable or remove the experimental_caller and experimental_nextAppDirCaller integrations until upgrades are deployed.
- Wrap the affected procedures with input middleware that rejects FormData field names matching ^(__proto__|constructor|prototype) or containing bracketed equivalents.
- Freeze Object.prototype early in the Node.js process startup using Object.freeze(Object.prototype) where compatible with application dependencies.
# Upgrade to patched versions
npm install @trpc/server@10.45.3
# or for the 11.x branch
npm install @trpc/server@11.8.0
# Verify the installed version
npm ls @trpc/server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

