CVE-2026-25754
published 2026-02-06CVE-2026-25754: AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data…
PriorityP344high7.2CVSS 3.1
AVNACLPRNUINSCCLILAN
EPSS
0.36%
28.3th percentile
AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adonisjs | bodyparser | < 10.1.3 | 10.1.3 |
| adonisjs | bodyparser | — | — |
| adonisjs | bodyparser | >= 0 < 10.1.3 | 10.1.3 |
| adonisjs | bodyparser | >= 10.1.3 < 10.1.5 | 10.1.5 |
| adonisjs | bodyparser | >= 10.1.4 < 11.0.0 | 11.0.0 |
| adonisjs | bodyparser | >= 11.0.0-next.0 < 11.0.0-next.9 | 11.0.0-next.9 |
| adonisjs | bodyparser | >= 11.0.0-next.9 < 11.0.3 | 11.0.3 |
| adonisjs | core | < 10.1.3 | 10.1.3 |
| adonisjs | core | < 11.0.0-next.9 | 11.0.0-next.9 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
ghsa7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
@adonisjs/bodyparser has an incomplete fix for CVE-2026-25754
ghsa·2026-06-30·CVSS 7.2
CVE-2026-48795 [HIGH] CWE-1321 @adonisjs/bodyparser has an incomplete fix for CVE-2026-25754
@adonisjs/bodyparser has an incomplete fix for CVE-2026-25754
### Summary
The fix for [GHSA-f5x2-vj4h-vg4c](https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c) / CVE-2026-25754 introduced in commit [`40e1c71`](https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed) is incomplete and can be bypassed through nested prototype pollution payloads.
The original patch replaced the internal `FormFields` storage object with `Object.create(null)`, preventing direct payloads such as `__proto__.polluted`. However, payloads containing a non-dangerous segment before `__proto__` or `constructor.prototype`, such as `user.__proto__.polluted`, still lead to `Object.prototype` pollution.
This issue is exploitable remotely through a single unauthentica
GHSA
AdonisJS multipart body parsing has Prototype Pollution issue
ghsa·2026-02-06
CVE-2026-25754 [HIGH] CWE-1321 AdonisJS multipart body parsing has Prototype Pollution issue
AdonisJS multipart body parsing has Prototype Pollution issue
### Description
A Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts `@adonisjs/bodyparser` through version `10.1.2` and `11.x` prerelease versions prior to `11.0.0-next.8`. This issue has been patched in `@adonisjs/bodyparser` versions `10.1.3` and `11.0.0-next.9`
### Details
AdonisJS parses `multipart/form-data` requests via the BodyParser package. During multipart parsing, form field names are used to construct plain JavaScript objects representing the parsed request body.
Due to insufficient validation of multipart field names, specially crafted fields containing reserved property names such as `__proto
OSV
AdonisJS multipart body parsing has Prototype Pollution issue
osv·2026-02-06
CVE-2026-25754 [HIGH] AdonisJS multipart body parsing has Prototype Pollution issue
AdonisJS multipart body parsing has Prototype Pollution issue
### Description
A Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts `@adonisjs/bodyparser` through version `10.1.2` and `11.x` prerelease versions prior to `11.0.0-next.8`. This issue has been patched in `@adonisjs/bodyparser` versions `10.1.3` and `11.0.0-next.9`
### Details
AdonisJS parses `multipart/form-data` requests via the BodyParser package. During multipart parsing, form field names are used to construct plain JavaScript objects representing the parsed request body.
Due to insufficient validation of multipart field names, specially crafted fields containing reserved property names such as `__proto
No detection rules found.
No public exploits indexed.
2026-02-06
Published