CVE-2025-62381
Published: 15 October 2025
Summary
CVE-2025-62381 is a high-severity Prototype Pollution (CWE-1321) vulnerability. Its CVSS base score is 8.3 (High).
Operationally, ranked in the top 22.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
sveltekit-superforms versions 2.27.3 and earlier contain a prototype pollution flaw in the parseFormData function of formData.js. The issue, tracked as CWE-1321, allows an attacker to inject string and array properties onto Object.prototype during form data processing, which can then affect any downstream code that relies on object inheritance or property lookups.
An unauthenticated remote attacker can supply crafted form data to trigger the pollution. Successful exploitation can produce denial of service, type confusion, or, in applications that use polluted objects unsafely, remote code execution. The CVSS 4.0 score of 8.3 reflects the combination of network reachability, high impact on availability, and the need for specific conditions around object handling.
The project’s security advisory and the associated commit show that the vulnerability is resolved in version 2.27.4. Users are advised to upgrade to that release; no other configuration workarounds are documented in the references.
EPSS remains low and unchanged at 0.0101 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-34681
Vulnerability details
sveltekit-superforms makes SvelteKit forms a pleasure to use. sveltekit-superforms v2.27.3 and prior are susceptible to a prototype pollution vulnerability within the parseFormData function of formData.js. An attacker can inject string and array properties into Object.prototype, leading to denial of service,…
more
type confusion, and potential remote code execution in downstream applications that rely on polluted objects. This vulnerability is fixed in 2.27.4.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.