CVE-2026-46510: form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys

May 18, 2026 (updated June 9, 2026)

form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, or prototype. A single HTTP form field whose name starts with __proto__[...] causes the library to mutate Object.prototype, which is a prototype pollution primitive of the entire Node.js process.

The bug is in treatInitial and treatSecond inside index.cjs:

if (inputName in result) {           // 'in' walks the prototype chain, so '__proto__' matches
newResult = result[inputName]      // newResult === Object.prototype
}
// ...
result[key] = value                  // sets the property on Object.prototype

With the form key __proto__[polluted] and value yes:

treatInitial matches inputName = "__proto__", rest = "[polluted]".
"__proto__" in result is true (inherited), so newResult = result["__proto__"], which is Object.prototype.
treatSecond recurses with key = "polluted", newRest = "", and assigns Object.prototype.polluted = "yes".

References

Code Behaviors & Features

Detect and mitigate CVE-2026-46510 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →