CVE-2026-46510 Overview
CVE-2026-46510 is a prototype pollution vulnerability in form-data-objectizer, a Node.js library that converts FormData instances to plain objects. Versions prior to 1.0.1 walk bracket-notation form keys into nested objects without filtering reserved property names such as __proto__, constructor, or prototype. An unauthenticated attacker can submit a single HTTP form field whose name starts with __proto__[...] to mutate Object.prototype across the entire Node.js process. The maintainer released 1.0.1 to address the issue. The weakness is tracked under CWE-1321, improperly controlled modification of object prototype attributes.
Critical Impact
A single crafted HTTP form field pollutes Object.prototype for the entire Node.js process, enabling integrity attacks against every downstream consumer of object properties.
Affected Products
- form-data-objectizer versions prior to 1.0.1
- Node.js applications consuming user-supplied FormData through the library
- Server-side endpoints that pass multipart form data to the objectizer without prior sanitization
Discovery Timeline
- 2026-05-29 - CVE-2026-46510 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-46510
Vulnerability Analysis
The form-data-objectizer library translates HTTP form keys that contain bracket notation, for example user[profile][name], into nested JavaScript objects. The conversion routine recursively assigns properties on a target object using keys derived directly from attacker-controlled input. Because the routine does not reject reserved keys, supplying __proto__[polluted]=value writes the polluted property onto Object.prototype rather than onto a new nested object. Every object in the Node.js process then inherits that property, which violates application integrity assumptions and can change authorization, configuration, or templating behavior. The attack requires only network access, no authentication, and no user interaction.
Root Cause
The parser performs unsafe recursive property assignment when expanding bracket-notation keys. It uses the raw segment as a property name without checking against a denylist or using Object.create(null) for intermediate containers. The lack of filtering for __proto__, constructor.prototype, and prototype segments allows traversal into the global prototype chain. The fix in commit 7c54b99408e6e9cd6533b7245bf197dadc2a2dbc adds key filtering during the walk, blocking dangerous segment names before assignment.
Attack Vector
An attacker submits an HTTP request containing a multipart or URL-encoded form field whose name begins with __proto__[someKey] and any value. When the vulnerable application calls form-data-objectizer on the parsed FormData, the library traverses obj.__proto__ and assigns someKey to it. The mutation persists for the lifetime of the process and affects all subsequently created objects. Attackers chain this primitive with downstream sinks, such as templating engines, authorization checks, or option-merging routines, to escalate to denial of service or logic abuse.
The vulnerability mechanism is documented in the GitHub Security Advisory GHSA-m2hg-wjq3-28wq and the patch commit.
Detection Methods for CVE-2026-46510
Indicators of Compromise
- HTTP request bodies containing form field names that begin with __proto__[, constructor[prototype], or prototype[
- Unexpected properties appearing on plain objects across unrelated request handlers
- Application logs showing anomalous behavior in modules that rely on object property defaults after handling form submissions
Detection Strategies
- Inspect dependency manifests (package.json, package-lock.json, yarn.lock) for form-data-objectizer versions below 1.0.1
- Apply web application firewall (WAF) rules that flag form keys containing __proto__, constructor, or prototype segments
- Enable runtime application self-protection (RASP) hooks on Object.prototype to alert when properties are added at runtime
Monitoring Recommendations
- Log and review multipart and URL-encoded request bodies whose field names contain bracket notation against a denylist
- Track Node.js process metrics for sudden behavioral drift after specific HTTP requests
- Correlate WAF blocks for prototype-pollution patterns with downstream error spikes in identification platforms
How to Mitigate CVE-2026-46510
Immediate Actions Required
- Upgrade form-data-objectizer to version 1.0.1 or later in all affected services
- Audit all code paths that pass FormData from untrusted sources into the library
- Deploy WAF rules that reject form field names containing __proto__, constructor, or prototype
Patch Information
The maintainer fixed the vulnerability in version 1.0.1 via commit 7c54b99408e6e9cd6533b7245bf197dadc2a2dbc. The patch filters reserved property names during bracket-notation key expansion. Review the GitHub commit and the security advisory for full remediation guidance.
Workarounds
- Pre-filter incoming form keys at the HTTP boundary and reject requests containing __proto__, constructor, or prototype segments
- Freeze Object.prototype at application startup using Object.freeze(Object.prototype) to block runtime mutation
- Replace plain object accumulators with Object.create(null) containers in wrapper code that calls the library
# Upgrade to the patched release
npm install form-data-objectizer@^1.0.1
# Verify resolved version across the dependency tree
npm ls form-data-objectizer
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
