Description
AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.
Published: 2026-02-06
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Prototype Pollution
Action: Patch
AI Analysis

Impact

AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0‑next.9, multipart form‑data parsing contains a prototype pollution vulnerability that can be exploited by a remote attacker to manipulate JavaScript object prototypes at runtime. This flaw can alter application behavior, potentially enabling malicious code execution or data tampering if the polluted prototypes influence subsequent logic.

Affected Systems

The vulnerability affects the AdonisJS core library, specifically the bodyparser middleware used for multipart form data. All versions of adonisjs:core released before v10.1.3 and before the v11.0.0‑next.9 release are impacted. Upgrading to v10.1.3 or v11.0.0‑next.9 and later mitigates the issue.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is currently expected to be rare. The vulnerability is not listed in CISA's KEV catalog. Attackers would need to send a crafted multipart form‑data request to an exposed endpoint that uses the bodyparser; the flaw is exploitable remotely without authentication, therefore the attack vector is inferred to be network-based.

Generated by OpenCVE AI on April 17, 2026 at 22:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade adonisjs core and bodyparser to version 10.1.3 or later, and to 11.0.0‑next.9 or later for newer releases.
  • Review application routes that accept multipart form data and ensure they are only exposed to trusted users or protected by proper authentication and input validation.
  • If an immediate upgrade is not possible, implement a temporary defense by inspecting multipart requests for unexpected object properties and rejecting requests that attempt to set prototype-related fields, or use a WAF rule that blocks requests containing suspicious multipart payloads.

Generated by OpenCVE AI on April 17, 2026 at 22:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f5x2-vj4h-vg4c AdonisJS multipart body parsing has Prototype Pollution issue
History

Tue, 17 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adonisjs:bodyparser:*:*:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next1:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next2:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next3:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next4:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next5:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next6:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next7:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next8:*:*:*:node.js:*:*

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Adonisjs
Adonisjs bodyparser
Vendors & Products Adonisjs
Adonisjs bodyparser

Fri, 06 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
Description AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.
Title AdonisJS multipart body parsing has Prototype Pollution issue
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Adonisjs Bodyparser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:26:12.060Z

Reserved: 2026-02-05T18:35:52.357Z

Link: CVE-2026-25754

cve-icon Vulnrichment

Updated: 2026-02-09T15:21:50.322Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T23:15:54.390

Modified: 2026-03-17T20:42:28.537

Link: CVE-2026-25754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses