VDB
CVE-2025-68130
CVE-2025-68130
PUBLISHED
CVSS 8.5 HIGH
tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. Versions 10.45.3 and 11.8.0 fix the issue.
EPSS 0.19% · 40.7th percentile
Risk Scores
CVSS v4.0
8.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L
EPSS Score
0.19%
40.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| trpc | server | 10.27.0, 11.0.0 |
| trpc | trpc | >= 10.27.0, < 10.45.3, >= 11.0.0, < 11.8.0 |
Timeline
- Dec 16, 2025 CVE Published
- Dec 17, 2025 EPSS Score
- Dec 21, 2025 EPSS Score
- Dec 25, 2025 EPSS Score
- Dec 29, 2025 EPSS Score
- Jan 2, 2026 EPSS Score
- Jan 5, 2026 EPSS Score
- Jan 9, 2026 EPSS Score
- Jan 13, 2026 EPSS Score
- Jan 17, 2026 EPSS Score
- Jan 21, 2026 EPSS Score
- Jan 25, 2026 EPSS Score