react-hook-form is vulnerable to Prototype Pollution
54
Medium Risk
The unset utility in react-hook-form traverses nested path segments through an internal helper without filtering prototype-related keywords such as __proto__, constructor, and prototype. A path that includes one of these keywords causes the traversal to walk into Object.prototype, and the following delete operation removes a property from the prototype itself. An equivalent guard already existed in the set utility but was missing from unset, so callers could delete prototype properties through crafted field paths. The fix returns early as a no-op when any path segment is a prototype keyword.
You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted input as form field names.
react-hook-form is vulnerable to Prototype Pollution in versions 7.54.0 - 7.80.0.
Upgrade the react-hook-form library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant