Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Summary

RVF (formerly Remix Validated Form) provides easy form validation and state management for React. In versions 6.x prior to 6.0.4 and 7.x prior to 7.0.2, `setPath` in @rvf/set-get (used by @rvf/core to flatten incoming form data into a nested object) does not block the keys `__proto__`, constructor, or prototype when walking a path. Because field names in submitted form data are passed directly to `setPath` via `preprocessFormData` (and through parseFormData / validate), an attacker who can submit a form to a Remix / React Router app using the library can set arbitrary properties on `Object.prototype` of the running server process. This is a default-reachable prototype pollution primitive: no special configuration is required. Any endpoint that accepts a form via `parseFormData` or runs a validator created with `createValidator` is affected. This vulnerability is fixed in 6.0.4 and 7.0.2.