@trpc/server 11.0.0-rc.744

Direct Vulnerabilities

Known vulnerabilities in the @trpc/server package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Prototype Pollution @trpc/server is a The tRPC server library Affected versions of this package are vulnerable to Prototype Pollution via the `formDataToObject()` function. An attacker can modify `Object.prototype` by submitting specially crafted FormData field names, which may result in authorization bypass, denial of service, or other unintended security impacts. Note: This is only exploitable if `experimental_caller` or `experimental_nextAppDirCaller` is enabled. How to fix Prototype Pollution? Upgrade `@trpc/server` to version 10.45.3, 11.8.0 or higher.	>=10.27.0 <10.45.3>=11.0.0-next.91 <11.8.0
H Uncaught Exception @trpc/server is a The tRPC server library Affected versions of this package are vulnerable to Uncaught Exception via the `createCtxPromise` function. An attacker can cause the server to crash by sending malformed `connectionParams` during the WebSocket connection setup. Specifically, the `parseConnectionParams` function throws an error for malformed input, which is caught but then incorrectly re-thrown within the WebSocket adapter's `createCtxPromise` function. This re-thrown error becomes an uncaught exception in the WebSocket message event context, leading to the termination of the entire tRPC server process. Note: This is only exploitable if the server has WebSockets enabled and uses the `createContext` method. How to fix Uncaught Exception? Upgrade `@trpc/server` to version 11.1.1 or higher.	>=11.0.0-rc.435 <11.1.1

Vulnerability

Vulnerable Version

Prototype Pollution

@trpc/server is a The tRPC server library

Affected versions of this package are vulnerable to Prototype Pollution via the formDataToObject() function. An attacker can modify Object.prototype by submitting specially crafted FormData field names, which may result in authorization bypass, denial of service, or other unintended security impacts.

Note:

This is only exploitable if experimental_caller or experimental_nextAppDirCaller is enabled.

How to fix Prototype Pollution?

Upgrade @trpc/server to version 10.45.3, 11.8.0 or higher.

>=10.27.0 <10.45.3>=11.0.0-next.91 <11.8.0

Uncaught Exception

@trpc/server is a The tRPC server library

Affected versions of this package are vulnerable to Uncaught Exception via the createCtxPromise function. An attacker can cause the server to crash by sending malformed connectionParams during the WebSocket connection setup. Specifically, the parseConnectionParams function throws an error for malformed input, which is caught but then incorrectly re-thrown within the WebSocket adapter's createCtxPromise function. This re-thrown error becomes an uncaught exception in the WebSocket message event context, leading to the termination of the entire tRPC server process.

Note: This is only exploitable if the server has WebSockets enabled and uses the createContext method.

How to fix Uncaught Exception?

Upgrade @trpc/server to version 11.1.1 or higher.

>=11.0.0-rc.435 <11.1.1

@trpc/server@11.0.0-rc.744

The tRPC server library

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically