`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`
- Severity:
- High
Description
sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial of service, type confusion, and potential remote code execution in downstream applications that rely on polluted objects.
Recommendation
Update the sveltekit-superforms package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.27.3
- Patched version(s): 2.27.4
References
Related Issues
- @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message - CVE-2025-64758
- matrix-js-sdk has insufficient validation when considering a room to be upgraded by another - CVE-2025-59160
- Modified package published to npm, containing malware that exfiltrates private key material - CVE-2024-54134
- Prototype pollution in ag-grid-community via the _.mergeDeep function (GHSA-876p-c77m-x2hc) - CVE-2024-38996
- Tags:
- npm
- sveltekit-superforms
Anything's wrong? Let us know Last updated on October 15, 2025