CVE-2025-62381: 
JavaScript vulnerability analysis and mitigation

CVE-2025-62381 affects sveltekit-superforms, a SvelteKit form library for server and client form validation. The vulnerability was discovered and disclosed on October 15, 2025, affecting versions 2.27.3 and prior. The issue is a prototype pollution vulnerability within the parseFormData function of formData.js (GitHub Advisory).

The vulnerability exists in the parseFormData function where user-controlled input can be used to modify Object.prototype attributes. When processing form data with superform_json parameter, the function deserializes JSON input and performs nested assignments using values from form parameters beginning with superformfile and _superformfiles_. Since both the target property and value of the assignment are controlled by user input, this enables prototype pollution. The vulnerability has been assigned a CVSS v4.0 base score of 8.3 (High) with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L (GitHub Advisory).

The vulnerability allows attackers to inject string and array properties into Object.prototype, which can lead to denial of service, type confusion, and potential remote code execution in downstream applications that rely on polluted objects. The impact is particularly severe when combined with popular libraries like nodemailer that may contain exploitable gadgets (GitHub Advisory).

The vulnerability has been fixed in version 2.27.4 of sveltekit-superforms. Users are advised to upgrade to this patched version to mitigate the risk (GitHub Advisory, GitHub Commit).