CVE-2025-68130
Published:December 16, 2025
Updated:May 16, 2026
tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in "@trpc/server"'s "formDataToObject" function, which is used by the Next.js App Router adapter. An attacker can pollute "Object.prototype" by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using "experimental_caller" / "experimental_nextAppDirCaller". Versions 10.45.3 and 11.8.0 fix the issue.
Affected Packages
https://github.com/trpc/trpc.git (GITHUB):
Affected version(s) >=v11.0.0 <v11.8.0Fix Suggestion:
Update to version v11.8.0https://github.com/trpc/trpc.git (GITHUB):
Affected version(s) >=v10.27.0 <v10.45.3Fix Suggestion:
Update to version v10.45.3@trpc/server (NPM):
Affected version(s) >=10.27.0 <10.45.3Fix Suggestion:
Update to version 10.45.3@trpc/server (NPM):
Affected version(s) >=11.0.0 <11.8.0Fix Suggestion:
Update to version 11.8.0Related Resources (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.5
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
HIGH
Vulnerable System Availability
LOW
Subsequent System Confidentiality
LOW
Subsequent System Integrity
HIGH
Subsequent System Availability
LOW
CVSS v3
Base Score:
9.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
LOW
Integrity
HIGH
Availability
LOW
Weakness Type (CWE)
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
EPSS
Base Score:
0.17