CVE-2026-44483

8.2 HIGH

RVF (formerly Remix Validated Form) provides easy form validation and state management for React

Published: 2026-05-27 · Last updated: 2026-06-01

Severity and scoring

CVSS: 8.2 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
CWE: CWE-1321

Description

RVF (formerly Remix Validated Form) provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the keys __proto__, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData / validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on Object.prototype of the running server process. This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator is affected. This vulnerability is fixed in 6.0.4 and 7.0.2.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-46625 — JavaScript Cookie is a JavaScript API for handling cookies, client-side (7.5 HIGH)
CVE-2026-45302 — parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays (8.2 HIGH)
CVE-2026-46510 — form-data-objectizer converts FormData to object (8.2 HIGH)
CVE-2026-46509 — deepobj provides get, set, delete deep objects in javascript (8.2 HIGH)
CVE-2026-44966 — Velocity.js is a JavaScript implementation of the Apache Velocity template engine (8.3 HIGH)