GHSA-G5GC-H5HP-555F

Vulnerability from github – Published: 2026-01-13 20:37 – Updated: 2026-01-13 21:41
VLAI?
Summary
Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State
Details

Summary

Description A Mass Assignment (CWE-915) vulnerability in AdonisJS Lucid may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6.

Details

A vulnerability in the BaseModelImpl class of @adonisjs/lucid may allow an attacker to overwrite internal class properties (such as $isPersisted, $attributes, or $isDeleted) when passing plain objects to model assignment methods.

The library relies on a this.hasOwnProperty(key) check to validate assignment targets. However, because internal ORM state properties are initialized as instance properties, they pass this check. Consequently, if an attacker can influence specific keys (like $isPersisted) into the payload passed to merge() or $consumeAdapterResult(), they can hijack the ORM's internal logic.

The exposed internal properties include: - $attributes: The raw storage for model data. - $isPersisted: Controls whether save() performs an INSERT or an UPDATE. - $original: Stores the original state of the record used to calculate changes. - $isDeleted: Prevents operations on deleted models.

This issue propagates to the entire write surface of the library, including: - Instance methods fill and merge. - Single record creation methods create, createQuietly, firstOrNew, and firstOrCreate. - Conditional updates via updateOrCreate. - Bulk operations createMany, createManyQuietly, fetchOrNewUpMany, fetchOrCreateMany, and updateOrCreateMany.

Impact

Applications are vulnerable if they pass unvalidated data or validated data that retains unknown properties to the model. This occurs because internal keys exist as instance properties, causing them to pass the hasOwnProperty check and bypass Lucid's default rejection of unknown properties.

Applications utilizing strict allow lists for input validation that discard unknown properties are not affected.

For example, if a developer passes request.all(), request.except() or a schema with allowUnknownProperties to Model.create(), the ORM's internal logic can be hijacked. Because the Model.create() > save() decision is based on $isPersisted, and merge() can assign to the own-property $isPersisted, an attacker who can inject "$isPersisted": true into the payload can force save() to take the UPDATE branch rather than the INSERT branch, while setting $attributes can bypass validators or field restrictions.

Patches

This issue has been patched in @adonisjs/lucid version 21.8.2 and 22.0.0-next.6. Please upgrade to this version or later.

Developers can mitigate this issue by strictly validating model inputs with an allow list that drops unknown keys if possible.

Severity ?
8.2 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 21.8.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@adonisjs/lucid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "21.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@adonisjs/lucid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "22.0.0-next.0"
            },
            {
              "fixed": "22.0.0-next.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22814"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T20:37:09Z",
    "nvd_published_at": "2026-01-13T20:16:11Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n**Description**\nA Mass Assignment (CWE-915) vulnerability in AdonisJS Lucid may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6.\n\n### Details\nA vulnerability in the `BaseModelImpl` class of `@adonisjs/lucid` may allow an attacker to overwrite internal class properties (such as `$isPersisted`, `$attributes`, or `$isDeleted`) when passing plain objects to model assignment methods.\n\nThe library relies on a `this.hasOwnProperty(key)` check to validate assignment targets. However, because internal ORM state properties are initialized as instance properties, they pass this check. Consequently, if an attacker can influence specific keys (like `$isPersisted`) into the payload passed to `merge()` or `$consumeAdapterResult()`, they can hijack the ORM\u0027s internal logic.\n\nThe exposed internal properties include:\n- `$attributes`: The raw storage for model data.\n- `$isPersisted`: Controls whether\u00a0`save()`\u00a0performs an\u00a0`INSERT`\u00a0or an\u00a0`UPDATE`.\n- `$original`: Stores the original state of the record used to calculate\u00a0changes.\n- `$isDeleted`: Prevents operations on deleted models.\n\nThis issue propagates to the entire write surface of the library, including:\n- Instance methods `fill` and  `merge`.\n- Single record creation methods `create`, `createQuietly`, `firstOrNew`, and `firstOrCreate`.\n- Conditional updates via `updateOrCreate`.\n- Bulk operations `createMany`, `createManyQuietly`, `fetchOrNewUpMany`, `fetchOrCreateMany`, and `updateOrCreateMany`.\n\n### Impact\nApplications are vulnerable if they pass unvalidated data or validated data that retains unknown properties to the model. This occurs because internal keys exist as instance properties, causing them to pass the `hasOwnProperty` check and bypass Lucid\u0027s default rejection of unknown properties.\n\nApplications utilizing strict allow lists for input validation that discard unknown properties are not affected.\n\nFor example, if a developer passes\u00a0`request.all()`, `request.except()` or a schema with `allowUnknownProperties` to\u00a0`Model.create()`, the ORM\u0027s internal logic can be hijacked. Because the\u00a0`Model.create()` \u003e `save()`\u00a0decision is based on\u00a0`$isPersisted`, and\u00a0`merge()`\u00a0can assign to the own-property\u00a0`$isPersisted`, an attacker who can inject\u00a0`\"$isPersisted\": true`\u00a0into the payload can force\u00a0`save()`\u00a0to take the UPDATE branch rather than the INSERT branch, while setting `$attributes` can bypass validators or field restrictions.\n\n\n### Patches\nThis issue has been patched in @adonisjs/lucid version `21.8.2` and `22.0.0-next.6`. Please upgrade to this version or later.\n\nDevelopers can mitigate this issue by strictly validating model inputs with an allow list that drops unknown keys if possible.",
  "id": "GHSA-g5gc-h5hp-555f",
  "modified": "2026-01-13T21:41:38Z",
  "published": "2026-01-13T20:37:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22814"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/adonisjs/lucid"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.