CVE-2025-68130: tRPC has possible prototype pollution in `experimental_nextAppDirCaller`

December 16, 2025

A Prototype Pollution vulnerability exists in @trpc/server’s formDataToObject function, which is used by the Next.js App Router adapter. An attacker can pollute Object.prototype by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts.

References

github.com/advisories/GHSA-43p4-m455-4f4j
github.com/trpc/trpc
github.com/trpc/trpc/commit/78629d524968ef8db5a7adf68d8b95a44369d77e
github.com/trpc/trpc/security/advisories/GHSA-43p4-m455-4f4j
nvd.nist.gov/vuln/detail/CVE-2025-68130

Code Behaviors & Features

Detect and mitigate CVE-2025-68130 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →