Description
AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a denial of service (DoS) vulnerability exists in the multipart file handling logic of @adonisjs/bodyparser. When processing file uploads, the multipart parser may accumulate an unbounded amount of data in memory while attempting to detect file types, potentially leading to excessive memory consumption and process termination. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.
Published: 2026-02-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

AdonisJS framework is vulnerable to a memory‑exhaustion flaw that occurs during multipart file upload processing. The multipart parser in the @adonisjs/bodyparser package may accumulate an unbounded amount of data while trying to detect the file type, allowing an attacker to cause excessive memory consumption and eventual process termination. The weakness corresponds to resource consumption and memory exhaustion (CWE‑400, CWE‑770).

Affected Systems

The issue affects the AdonisJS core library, specifically the bodyparser component prior to releases 10.1.3 and 11.0.0‑next.9. Systems running AdonisJS applications that accept file uploads and are using older versions of @adonisjs/bodyparser are vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5 and an EPSS score below 1%, indicating a moderate risk and very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, based on the fact that an attacker can craft a multipart upload with large payloads. No privilege escalation is required; the DoS can be triggered by any user who can submit a file to the application.

Generated by OpenCVE AI on April 17, 2026 at 22:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @adonisjs/bodyparser to version 10.1.3 or later (10.1.3 and 11.0.0‑next.9 introduce the fix).
  • If an immediate upgrade is not possible, configure the bodyparser to impose a hard limit on the size of multipart uploads and consider disabling multipart parsing for untrusted endpoints.
  • Apply any vendor‑provided patches or updates as soon as they are available to ensure the memory‑buffering logic is corrected.

Generated by OpenCVE AI on April 17, 2026 at 22:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xx9g-fh25-4q64 AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection
History

Tue, 17 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:adonisjs:bodyparser:*:*:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next1:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next2:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next3:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next4:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next5:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next6:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next7:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next8:*:*:*:node.js:*:*

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Adonisjs
Adonisjs bodyparser
Vendors & Products Adonisjs
Adonisjs bodyparser

Fri, 06 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
Description AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a denial of service (DoS) vulnerability exists in the multipart file handling logic of @adonisjs/bodyparser. When processing file uploads, the multipart parser may accumulate an unbounded amount of data in memory while attempting to detect file types, potentially leading to excessive memory consumption and process termination. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.
Title AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Adonisjs Bodyparser
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:26:05.149Z

Reserved: 2026-02-05T18:35:52.358Z

Link: CVE-2026-25762

cve-icon Vulnrichment

Updated: 2026-02-09T15:21:48.547Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T23:15:54.670

Modified: 2026-03-17T20:43:40.180

Link: CVE-2026-25762

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses