CVE-2025-68130
published 2025-12-16CVE-2025-68130: tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and…
PriorityP352high8.5CVSS 4.0
AVNACLATNPRLUINVCLVIHVALSCLSIHSALEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.36%
27.5th percentile
tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. Versions 10.45.3 and 11.8.0 fix the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trpc | server | >= 10.27.0 < 10.45.3 | 10.45.3 |
| trpc | server | >= 11.0.0 < 11.8.0 | 11.8.0 |
| trpc | trpc | — | — |
| trpc | trpc | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
tRPC has possible prototype pollution in `experimental_nextAppDirCaller`
ghsa·2025-12-16
CVE-2025-68130 [HIGH] CWE-1321 tRPC has possible prototype pollution in `experimental_nextAppDirCaller`
tRPC has possible prototype pollution in `experimental_nextAppDirCaller`
> Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`.
## Summary
A Prototype Pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts.
## Affected Versions
- **Package:** `@trpc/server`
- **Affected Versions:** >=10.27.0
- **Vulnerable Component:** `formDataToObject()` in `src/unstable-core-do-not-import/http/formDataToObject.ts`
## Vulnerability Details
### Root Cause
The `set()` function in `fo
OSV
tRPC has possible prototype pollution in `experimental_nextAppDirCaller`
osv·2025-12-16
CVE-2025-68130 [HIGH] tRPC has possible prototype pollution in `experimental_nextAppDirCaller`
tRPC has possible prototype pollution in `experimental_nextAppDirCaller`
> Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`.
## Summary
A Prototype Pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts.
## Affected Versions
- **Package:** `@trpc/server`
- **Affected Versions:** >=10.27.0
- **Vulnerable Component:** `formDataToObject()` in `src/unstable-core-do-not-import/http/formDataToObject.ts`
## Vulnerability Details
### Root Cause
The `set()` function in `fo
No detection rules found.
No public exploits indexed.
2025-12-16
Published