CVE-2024-32866
Description
Conform, a type-safe form validation library, allows the parsing of nested objects in the form of object.property. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to parseWith... functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@conform-to/domnpm | >= 1.0.0, < 1.1.1 | 1.1.1 |
@conform-to/zodnpm | >= 1.0.0, < 1.1.1 | 1.1.1 |
@conform-to/yupnpm | >= 1.0.0, < 1.1.1 | 1.1.1 |
@conform-to/zodnpm | < 0.9.2 | 0.9.2 |
@conform-to/yupnpm | < 0.9.2 | 0.9.2 |
@conform-to/domnpm | < 0.9.2 | 0.9.2 |
Patches
24819d51b5a53Merge pull request from GHSA-624g-8qjg-8qxf
1 file changed · +16 −2
packages/conform-dom/formdata.ts+16 −2 modified@@ -38,7 +38,13 @@ export function getPaths(name: string | undefined): Array<string | number> { return name .split(/\.|(\[\d*\])/) .reduce<Array<string | number>>((result, segment) => { - if (typeof segment !== 'undefined' && segment !== '') { + if ( + typeof segment !== 'undefined' && + segment !== '' && + segment !== '__proto__' && + segment !== 'constructor' && + segment !== 'prototype' + ) { if (segment.startsWith('[') && segment.endsWith(']')) { const index = segment.slice(1, -1); @@ -114,7 +120,11 @@ export function setValue( const nextKey = paths[index + 1]; const newValue = index != lastIndex - ? pointer[key] ?? (typeof nextKey === 'number' ? [] : {}) + ? Object.hasOwn(pointer, key) + ? pointer[key] + : typeof nextKey === 'number' + ? [] + : {} : valueFn(pointer[key]); pointer[key] = newValue; @@ -133,6 +143,10 @@ export function getValue(target: unknown, name: string): unknown { break; } + if (!Object.hasOwn(pointer, path)) { + return; + } + if (isPlainObject(pointer) && typeof path === 'string') { pointer = pointer[path]; } else if (Array.isArray(pointer) && typeof path === 'number') {
cb604dd58b99fix: apply v1 patch for the prototype pollution vulnerability
1 file changed · +12 −2
packages/conform-dom/formdata.ts+12 −2 modified@@ -33,7 +33,13 @@ export function getPaths(name: string): Array<string | number> { return name .split(/\.|(\[\d*\])/) .reduce<Array<string | number>>((result, segment) => { - if (typeof segment !== 'undefined' && segment !== '') { + if ( + typeof segment !== 'undefined' && + segment !== '' && + segment !== '__proto__' && + segment !== 'constructor' && + segment !== 'prototype' + ) { if (segment.startsWith('[') && segment.endsWith(']')) { const index = segment.slice(1, -1); @@ -87,7 +93,11 @@ export function setValue( const nextKey = paths[index + 1]; const newValue = index != lastIndex - ? pointer[key] ?? (typeof nextKey === 'number' ? [] : {}) + ? Object.prototype.hasOwnProperty.call(pointer, key) + ? pointer[key] + : typeof nextKey === 'number' + ? [] + : {} : valueFn(pointer[key]); pointer[key] = newValue;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-624g-8qjg-8qxfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32866ghsaADVISORY
- github.com/edmundhung/conform/blob/59156d7115a7207fa3b6f8a70a4342a9b24c2501/packages/conform-dom/formdata.tsnvdWEB
- github.com/edmundhung/conform/commit/4819d51b5a53fd5486fc85c17cdc148eb160e3denvdWEB
- github.com/edmundhung/conform/commit/cb604dd58b99e2d12716d901a23bfca724e741efghsaWEB
- github.com/edmundhung/conform/security/advisories/GHSA-624g-8qjg-8qxfnvdWEB
News mentions
0No linked articles in our index yet.