CVE-2025-68130

HIGH

Trpc Server < 10.45.3 - Prototype Pollution

Title source: rule

Description

tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. Versions 10.45.3 and 11.8.0 fix the issue.

References (1)

[Vendor Advisory] https://github.com/trpc/trpc/security/advisories/GHSA-43p4-m455-4f4j

Scores

CVSS v4 8.5

EPSS 0.0017

EPSS Percentile 38.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (3)

trpc/server 10.27.0 - 10.45.3npm

trpc/trpc >= 10.27.0, < 10.45.3

trpc/trpc >= 11.0.0, < 11.8.0

Published Dec 16, 2025

Tracked Since Feb 18, 2026