CVE-2026-25754

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25754
AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.

7.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed Patch
https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9 Release Notes
https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:adonisjs:bodyparser:*:*:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:*:*:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next1:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next2:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next3:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next4:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next5:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next6:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next7:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next8:*:*:*:node.js:*:*
History

17 Mar 2026, 20:42

Type Values Removed Values Added
First Time Adonisjs
Adonisjs bodyparser
CPE cpe:2.3:a:adonisjs:bodyparser:11.0.0:next6:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next1:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next7:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:*:*:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next2:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next4:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next5:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next8:*:*:*:node.js:*:*
cpe:2.3:a:adonisjs:bodyparser:11.0.0:next3:*:*:*:node.js:*:*
Summary
  • (es) AdonisJS es un framework web con prioridad en TypeScript. Antes de las versiones 10.1.3 y 11.0.0-next.9, una vulnerabilidad de contaminación de prototipos en el análisis de datos de formulario multipart de AdonisJS podría permitir a un atacante remoto manipular prototipos de objetos en tiempo de ejecución. Este problema ha sido parcheado en las versiones 10.1.3 y 11.0.0-next.9.
References () https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed - () https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed - Patch
References () https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9 - () https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9 - Release Notes
References () https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c - () https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c - Third Party Advisory

06 Feb 2026, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-06 23:15

Updated : 2026-03-17 20:42

NVD link : CVE-2026-25754

Mitre link : CVE-2026-25754

CVE.ORG link : CVE-2026-25754

JSON object : View

Products Affected

adonisjs

  • bodyparser
CWE
CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')