CVE-2025-62381: 
JavaScript vulnerability analysis and mitigation

CVE-2025-62381 affects sveltekit-superforms, a SvelteKit form library for server and client form validation. The vulnerability was discovered and disclosed on October 15, 2025, affecting versions 2.27.3 and prior. It is a prototype pollution vulnerability within the parseFormData function of formData.js that allows attackers to inject string and array properties into Object.prototype (GitHub Advisory).

The vulnerability exists in the parseFormData function which processes form data containing superform_json parameters. When parsing form data, the function performs nested assignments into deserialized objects using values from form parameters beginning with superformfile and _superformfiles_. Since both the target property and value of the assignment are controlled by user input, attackers can exploit this to pollute the base object prototype. The vulnerability has been assigned a CVSS v4.0 base score of 8.3 (High) with vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L (GitHub Advisory).

The vulnerability can lead to denial of service, type confusion, and potential remote code execution in downstream applications that rely on polluted objects. For example, polluting Object.prototype.toString can cause persistent denial of service in many applications. When combined with popular libraries like nodemailer, the vulnerability can be escalated to achieve remote code execution (GitHub Advisory).

The vulnerability has been fixed in version 2.27.4 of sveltekit-superforms. Users should upgrade to this patched version to mitigate the vulnerability (GitHub Advisory).