Cyber Resilience

CVE-2025-62381

High

Published: 15 October 2025

Published
15 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0101 77.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62381 is a high-severity Prototype Pollution (CWE-1321) vulnerability. Its CVSS base score is 8.3 (High).

Operationally, ranked in the top 22.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

sveltekit-superforms versions 2.27.3 and earlier contain a prototype pollution flaw in the parseFormData function of formData.js. The issue, tracked as CWE-1321, allows an attacker to inject string and array properties onto Object.prototype during form data processing, which can then affect any downstream code that relies on object inheritance or property lookups.

An unauthenticated remote attacker can supply crafted form data to trigger the pollution. Successful exploitation can produce denial of service, type confusion, or, in applications that use polluted objects unsafely, remote code execution. The CVSS 4.0 score of 8.3 reflects the combination of network reachability, high impact on availability, and the need for specific conditions around object handling.

The project’s security advisory and the associated commit show that the vulnerability is resolved in version 2.27.4. Users are advised to upgrade to that release; no other configuration workarounds are documented in the references.

EPSS remains low and unchanged at 0.0101 with no observed rise after disclosure.

EU & UK References

Vulnerability details

sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial of service,…

more

type confusion, and potential remote code execution in downstream applications that rely on polluted objects. This vulnerability is fixed in 2.27.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References