Trpc Server vulnerabilities
2 known vulnerabilities affecting trpc/server.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2
Vulnerabilities
Page 1 of 1
CVE-2025-68130P3HIGH≥ 10.27.0, < 10.45.3≥ 11.0.0, < 11.8.02025-12-16
CVE-2025-68130 [HIGH] CWE-1321 tRPC has possible prototype pollution in `experimental_nextAppDirCaller`
tRPC has possible prototype pollution in `experimental_nextAppDirCaller`
> Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`.
## Summary
A Prototype Pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitt
ghsaosv
CVE-2025-43855P3HIGH≥ 11.0.0, < 11.1.12025-04-24
CVE-2025-43855 [HIGH] CWE-248 tRPC 11 WebSocket DoS Vulnerability
tRPC 11 WebSocket DoS Vulnerability
### Summary
An unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server.
### Details
Any tRPC 11 server with WebSocket enabled with a `createContext` method set is vulnerable. Here is an example:
https://github.com/user-attachments/assets/ce1b2d32-6103-4e54-8446-51535b293
ghsaosv