CVE-2025-62381: `sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`

October 15, 2025 (updated November 10, 2025)

sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial of service, type confusion, and potential remote code execution in downstream applications that rely on polluted objects.

References

github.com/advisories/GHSA-hwmc-4c8j-xxj7
github.com/ciscoheat/sveltekit-superforms
github.com/ciscoheat/sveltekit-superforms/commit/4a1310dd1a94176bb22036662c530dad48059ca4
github.com/ciscoheat/sveltekit-superforms/security/advisories/GHSA-hwmc-4c8j-xxj7
nvd.nist.gov/vuln/detail/CVE-2025-62381

Code Behaviors & Features

Detect and mitigate CVE-2025-62381 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →