Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
tRPC has possible prototype pollution in `experimental_nextAppDirCaller`
Vulnerability Description
tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. Versions 10.45.3 and 11.8.0 fix the issue.
CVSS Information
N/A
Vulnerability Type
CWE-1321
Vulnerability Title
tRPC 安全漏洞
Vulnerability Description
tRPC是tRPC社区的一个用于构建类型安全的API的TypeScript框架。 tRPC 10.45.3之前版本和11.8.0之前版本存在安全漏洞,该漏洞源于formDataToObject函数存在原型污染,可能导致授权绕过或拒绝服务。
CVSS Information
N/A
Vulnerability Type
N/A