Summary
setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the keys __proto__, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData / validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on Object.prototype of the running server process.
This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator is affected.
Affected versions
@rvf/set-get < 7.0.2 (7.x line)
@rvf/set-get < 6.0.4 (6.x line)
Reached through @rvf/core versions that depend on a vulnerable @rvf/set-get (current 8.1.0 resolves to 7.0.1 without the override).
Patched
@rvf/set-get 7.0.2
@rvf/set-get 6.0.4
The fix adds a REJECT_KEYS blocklist (__proto__, constructor, prototype) and throws when one is encountered while walking a path inside setPath.
Proof of concept
Install a vulnerable resolution and run on Node 18+:
{
"dependencies": { "@rvf/core": "8.1.0" },
"overrides": { "@rvf/set-get": "7.0.1" }
}
const { preprocessFormData } = require('@rvf/core');
const form = new FormData();
form.append("username", "alice");
form.append("__proto__[polluted]", "yes");
preprocessFormData(form);
console.log(({}).polluted); // -> 'yes'
The field name __proto__[polluted] is the kind of value an attacker can submit from any HTML form or HTTP client. After the call, every plain object in the process inherits polluted = 'yes'.
A second working payload is constructor.prototype.<key>=<value>, which goes through setPath walking constructor then prototype.
Impact
- Any property assignable on
Object.prototype of the server process, set by a single unauthenticated HTTP request.
- Persists for the life of the worker process and affects every subsequent request handled by the same process.
- Direct downstream consequences depend on the host application and the rest of its dependency tree, but typical risks include: bypassing
if (obj.isAdmin) style checks, injecting unintended config values into objects merged with user input, breaking template rendering, and crashing the worker by polluting properties used by other libraries (DoS).
- Worth noting: the visible output of
preprocessFormData does not contain the malicious key, so the attack leaves no obvious trace in request logs that show parsed bodies.
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L (8.2, High)
Integrity is High because the primitive lets the attacker change the meaning of property reads on every object in the process. Confidentiality is None and Availability is Low without a named downstream gadget; both could be higher in a specific consuming app.
Remediation for users
Upgrade to @rvf/set-get 7.0.2 or 6.0.4. If you cannot upgrade @rvf/core directly, an npm / pnpm override on @rvf/set-get works.
Credit
Reported by Mohamed Bassia (@0xBassia).
References
Summary
setPathin@rvf/set-get(used by@rvf/coreto flatten incoming form data into a nested object) does not block the keys__proto__,constructor, orprototypewhen walking a path. Because field names in submitted form data are passed directly tosetPathviapreprocessFormData(and throughparseFormData/validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties onObject.prototypeof the running server process.This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via
parseFormDataor runs a validator created withcreateValidatoris affected.Affected versions
@rvf/set-get< 7.0.2(7.x line)@rvf/set-get< 6.0.4(6.x line)Reached through
@rvf/coreversions that depend on a vulnerable@rvf/set-get(current8.1.0resolves to7.0.1without the override).Patched
@rvf/set-get7.0.2@rvf/set-get6.0.4The fix adds a
REJECT_KEYSblocklist (__proto__,constructor,prototype) and throws when one is encountered while walking a path insidesetPath.Proof of concept
Install a vulnerable resolution and run on Node 18+:
{ "dependencies": { "@rvf/core": "8.1.0" }, "overrides": { "@rvf/set-get": "7.0.1" } }The field name
__proto__[polluted]is the kind of value an attacker can submit from any HTML form or HTTP client. After the call, every plain object in the process inheritspolluted = 'yes'.A second working payload is
constructor.prototype.<key>=<value>, which goes throughsetPathwalkingconstructorthenprototype.Impact
Object.prototypeof the server process, set by a single unauthenticated HTTP request.if (obj.isAdmin)style checks, injecting unintended config values into objects merged with user input, breaking template rendering, and crashing the worker by polluting properties used by other libraries (DoS).preprocessFormDatadoes not contain the malicious key, so the attack leaves no obvious trace in request logs that show parsed bodies.CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L(8.2, High)Integrity is High because the primitive lets the attacker change the meaning of property reads on every object in the process. Confidentiality is None and Availability is Low without a named downstream gadget; both could be higher in a specific consuming app.
Remediation for users
Upgrade to
@rvf/set-get7.0.2or6.0.4. If you cannot upgrade@rvf/coredirectly, annpm/pnpmoverride on@rvf/set-getworks.Credit
Reported by Mohamed Bassia (@0xBassia).
References