tRPC has possible prototype pollution in `experimental_nextAppDirCaller`

tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. Versions 10.45.3 and 11.8.0 fix the issue.

N/A

CWE-1321

tRPC 安全漏洞

tRPC是tRPC社区的一个用于构建类型安全的API的TypeScript框架。 tRPC 10.45.3之前版本和11.8.0之前版本存在安全漏洞，该漏洞源于formDataToObject函数存在原型污染，可能导致授权绕过或拒绝服务。

N/A

N/A