AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.
PUBLISHED5.2CWE-1321
AdonisJS multipart body parsing has Prototype Pollution issue
Problem type
Affected products
adonisjs
core
< 10.1.3 - AFFECTED
< 11.0.0-next.9 - AFFECTED
References
https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c
https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c
https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed
https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed
https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9
https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9
GitHub Security Advisories
GHSA-f5x2-vj4h-vg4c
AdonisJS multipart body parsing has Prototype Pollution issue
https://github.com/advisories/GHSA-f5x2-vj4h-vg4cDescription
A Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts @adonisjs/bodyparser through version 10.1.2 and 11.x prerelease versions prior to 11.0.0-next.8. This issue has been patched in @adonisjs/bodyparser versions 10.1.3 and 11.0.0-next.9
Details
AdonisJS parses multipart/form-data requests via the BodyParser package. During multipart parsing, form field names are used to construct plain JavaScript objects representing the parsed request body.
Due to insufficient validation of multipart field names, specially crafted fields containing reserved property names such as __proto__, constructor, or prototype could be assigned directly to objects created during parsing. This allows an attacker to pollute object prototypes, potentially affecting other parts of the application that rely on these objects.
The vulnerability is limited to multipart request parsing and does not affect JSON or URL-encoded body parsing.
Impact
Exploitation requires an application endpoint that accepts and parses multipart/form-data requests.
If exploited, prototype pollution may lead to unexpected application behavior, logic bypasses, or security issues depending on how polluted objects are later consumed. The severity of the impact depends on application logic and usage patterns of the parsed request data.
Patches
Fixes targeting v6 and v7 have been published below.
Users should upgrade to a version that includes the following fix:
github.com
https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c
github.com
https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed
github.com
https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-25754
github.com
https://github.com/advisories/GHSA-f5x2-vj4h-vg4c
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-25754Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-25754",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-02-06T22:48:38.668Z",
"dateReserved": "2026-02-05T18:35:52.357Z",
"datePublished": "2026-02-06T22:48:38.668Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-02-06T22:48:38.668Z"
},
"title": "AdonisJS multipart body parsing has Prototype Pollution issue",
"descriptions": [
{
"lang": "en",
"value": "AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9."
}
],
"affected": [
{
"vendor": "adonisjs",
"product": "core",
"versions": [
{
"version": "< 10.1.3",
"status": "affected"
},
{
"version": "< 11.0.0-next.9",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')",
"cweId": "CWE-1321",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c",
"name": "https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed",
"name": "https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9",
"name": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "CHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH"
}
}
]
}
}
}