GHSA-F5X2-VJ4H-VG4C
Vulnerability from github – Published: 2026-02-06 19:27 – Updated: 2026-02-07 00:33Description
A Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts @adonisjs/bodyparser through version 10.1.2 and 11.x prerelease versions prior to 11.0.0-next.8. This issue has been patched in @adonisjs/bodyparser versions 10.1.3 and 11.0.0-next.9
Details
AdonisJS parses multipart/form-data requests via the BodyParser package. During multipart parsing, form field names are used to construct plain JavaScript objects representing the parsed request body.
Due to insufficient validation of multipart field names, specially crafted fields containing reserved property names such as __proto__, constructor, or prototype could be assigned directly to objects created during parsing. This allows an attacker to pollute object prototypes, potentially affecting other parts of the application that rely on these objects.
The vulnerability is limited to multipart request parsing and does not affect JSON or URL-encoded body parsing.
Impact
Exploitation requires an application endpoint that accepts and parses multipart/form-data requests.
If exploited, prototype pollution may lead to unexpected application behavior, logic bypasses, or security issues depending on how polluted objects are later consumed. The severity of the impact depends on application logic and usage patterns of the parsed request data.
Patches
Fixes targeting v6 and v7 have been published below.
Users should upgrade to a version that includes the following fix: - https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3 - https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.1.2"
},
"package": {
"ecosystem": "npm",
"name": "@adonisjs/bodyparser"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.1.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.0.0-next.8"
},
"package": {
"ecosystem": "npm",
"name": "@adonisjs/bodyparser"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-next.0"
},
{
"fixed": "11.0.0-next.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25754"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T19:27:30Z",
"nvd_published_at": "2026-02-06T23:15:54Z",
"severity": "HIGH"
},
"details": "### Description\n\nA Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts `@adonisjs/bodyparser` through version `10.1.2` and `11.x` prerelease versions prior to `11.0.0-next.8`. This issue has been patched in `@adonisjs/bodyparser` versions `10.1.3` and `11.0.0-next.9`\n\n### Details\n\nAdonisJS parses `multipart/form-data` requests via the BodyParser package. During multipart parsing, form field names are used to construct plain JavaScript objects representing the parsed request body.\n\nDue to insufficient validation of multipart field names, specially crafted fields containing reserved property names such as `__proto__`, `constructor`, or `prototype` could be assigned directly to objects created during parsing. This allows an attacker to pollute object prototypes, potentially affecting other parts of the application that rely on these objects.\n\n**The vulnerability is limited to multipart request parsing and does not affect JSON or URL-encoded body parsing.**\n\n### Impact\n\nExploitation requires an application endpoint that accepts and parses `multipart/form-data` requests.\n\nIf exploited, prototype pollution may lead to unexpected application behavior, logic bypasses, or security issues depending on how polluted objects are later consumed. The severity of the impact depends on application logic and usage patterns of the parsed request data.\n\n### Patches\n\nFixes targeting v6 and v7 have been published below.\n\nUsers should upgrade to a version that includes the following fix:\n- https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3\n- https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9",
"id": "GHSA-f5x2-vj4h-vg4c",
"modified": "2026-02-07T00:33:30Z",
"published": "2026-02-06T19:27:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25754"
},
{
"type": "WEB",
"url": "https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed"
},
{
"type": "WEB",
"url": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9"
},
{
"type": "PACKAGE",
"url": "https://github.com/adonisjs/core"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "AdonisJS multipart body parsing has Prototype Pollution issue"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.