CVE-2025-68130

Summary: CVE-2025-68130 is a prototype pollution flaw in @trpc/server (formDataToObject) used by the Next.js App Router adapter when experimental_nextAppDirCaller is enabled. The root cause is that formDataToObject processes bracket/dot-notation keys without validating dangerous keys (e.g., proto...