`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`
- Severity:
- High
Description
sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial of service, type confusion, and potential remote code execution in downstream applications that rely on polluted objects.
Recommendation
Update the sveltekit-superforms package to the latest compatible version. Followings are version details:
- Affected version(s): <= 2.27.3
- Patched version(s): 2.27.4
References
Related Issues
- Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions - CVE-2025-13465
- Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions (GHSA-xxjr-mmjv-4gpg) 3 - CVE-2025-13465
- Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions (GHSA-xxjr-mmjv-4gpg) 2 - CVE-2025-13465
- tRPC has possible prototype pollution in `experimental_nextAppDirCaller` - CVE-2025-68130
- Tags:
- npm
- sveltekit-superforms
Anything's wrong? Let us know Last updated on October 15, 2025