tRPC has possible prototype pollution in `experimental_nextAppDirCaller`
- Severity:
- High
Description
Note that this vulnerability is only present when using
experimental_caller/experimental_nextAppDirCaller.
Recommendation
Update the @trpc/server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 11.0.0, < 11.8.0 >= 10.27.0, < 10.45.3** Patched version(s): **11.8.0 10.45.3**
References
Related Issues
- `sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js` - CVE-2025-62381
- Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions (GHSA-xxjr-mmjv-4gpg) - CVE-2025-13465
- Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions (GHSA-xxjr-mmjv-4gpg) 3 - CVE-2025-13465
- Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions (GHSA-xxjr-mmjv-4gpg) 2 - CVE-2025-13465
- Tags:
- npm
- @trpc/server
Anything's wrong? Let us know Last updated on December 16, 2025