CVE-2025-68130 HIGH

CVE-2025-68130: tRPC has possible prototype pollution in `experimental_nextAppDirCaller`

Vendor Trpc
Product trpc
Weakness CWE-1321
Published December 16, 2025
Last update December 16, 2025

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L

What the vulnerability does

01Description

tRPC allows users to build and consume fully typesafe APIs without schemas or code generation. Starting in version 10.27.0 and prior to versions 10.45.3 and 11.8.0, a A prototype pollution vulnerability exists in `@trpc/server`'s `formDataToObject` function, which is used by the Next.js App Router adapter. An attacker can pollute `Object.prototype` by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts. Note that this vulnerability is only present when using `experimental_caller` / `experimental_nextAppDirCaller`. Versions 10.45.3 and 11.8.0 fix the issue.

Key dates

02Disclosure timeline

December 16, 2025 CVE published
December 16, 2025 Record updated