GHSA-43P4-M455-4F4J tRPC has possible prototype pollution in `experimental_nextAppDirCaller`

Note that this vulnerability is only present when using experimentalcaller / experimentalnextAppDirCaller. Summary A Prototype Pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router adapter. An attacker can pollute Object.prototype by...

tRPC has possible prototype pollution in `experimental_nextAppDirCaller`

Note that this vulnerability is only present when using experimentalcaller / experimentalnextAppDirCaller. Summary A Prototype Pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router adapter. An attacker can pollute Object.prototype by...

Prototype Pollution

Overview @trpc/server is a The tRPC server library Affected versions of this package are vulnerable to Prototype Pollution via the formDataToObject function. An attacker can modify Object.prototype by submitting specially crafted FormData field names, which may result in authorization bypass,...

EUVD-2025-203822

tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router...

PT-2025-51757

tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router...

Denial Of Service (DoS)

@trpc/server is vulnerable to Denial Of Service DoS. The vulnerability is due to improper input validation due in unhandled error when validating malformed connectionParams in WebSocket connections, allowing unauthenticated users to crash the server...