Description
AdonisJS is a TypeScript-first web framework. From 10.1.3 until 10.1.5 and 11.0.3, AdonisJS @adonisjs/bodyparser incompletely fixed CVE-2026-25754 because nested multipart field payloads such as user.__proto__.polluted and constructor.prototype still caused lodash _.set() via @poppinss/utils to create plain intermediate objects and pollute Object.prototype. This issue is fixed in versions 10.1.5 and 11.0.3.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-qcm7-3vpr-hj5h | @adonisjs/bodyparser has an incomplete fix for CVE-2026-25754 |
References
History
Wed, 15 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | AdonisJS is a TypeScript-first web framework. From 10.1.3 until 10.1.5 and 11.0.3, AdonisJS @adonisjs/bodyparser incompletely fixed CVE-2026-25754 because nested multipart field payloads such as user.__proto__.polluted and constructor.prototype still caused lodash _.set() via @poppinss/utils to create plain intermediate objects and pollute Object.prototype. This issue is fixed in versions 10.1.5 and 11.0.3. | |
| Title | Incomplete fix for CVE-2026-25754 in @adonisjs/bodyparser | |
| Weaknesses | CWE-1321 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T21:23:14.393Z
Reserved: 2026-05-22T20:18:20.366Z
Link: CVE-2026-48795
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Github GHSA