Intel

AIKIDO-2026-925158

react-hook-form is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

54

Medium Risk

This Affects:

JSreact-hook-form
7.54.0 - 7.80.0
Fixed in 7.81.0
Are you affected? Scan for Free

TL;DR

The unset utility in react-hook-form traverses nested path segments through an internal helper without filtering prototype-related keywords such as __proto__, constructor, and prototype. A path that includes one of these keywords causes the traversal to walk into Object.prototype, and the following delete operation removes a property from the prototype itself. An equivalent guard already existed in the set utility but was missing from unset, so callers could delete prototype properties through crafted field paths. The fix returns early as a no-op when any path segment is a prototype keyword.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted input as form field names.

Background info

react-hook-form is vulnerable to Prototype Pollution in versions 7.54.0 - 7.80.0.

How to fix this

Upgrade the react-hook-form library to the patch version.