CVE-2026-44483

HIGH

RVF: Prototype pollution in @rvf/set-get reachable via @rvf/core preprocessFormData (HTTP form data)

Title source: cna

Description

RVF (formerly Remix Validated Form) provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the keys __proto__, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to setPath via preprocessFormData (and through parseFormData / validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on Object.prototype of the running server process. This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via parseFormData or runs a validator created with createValidator is affected. This vulnerability is fixed in 6.0.4 and 7.0.2.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/airjp73/rvf/security/advisories/GHSA-c567-44rc-m5hq

Scores

CVSS v3 8.2

EPSS 0.0027

EPSS Percentile 18.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (6)

@rvf/set-get >= 6.0.0, < 6.0.4

@rvf/set-get >= 7.0.0, < 7.0.2

airjp73/rvf >= 6.0.0, < 6.0.4

airjp73/rvf >= 7.0.0, < 7.0.2

rvf/set-get 6.0.0 - 6.0.4npm

rvf/set-get 7.0.0 - 7.0.2npm

Published May 27, 2026

Tracked Since May 27, 2026