CVE-2026-25754

Description

### Description A Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts `@adonisjs/bodyparser` through version `10.1.2` and `11.x` prerelease versions prior to `11.0.0-next.8`. This issue has been patched in `@adonisjs/bodyparser` versions `10.1.3` and `11.0.0-next.9` ### Details AdonisJS parses `multipart/form-data` requests via the BodyParser package. During multipart parsing, form field names are used to construct plain JavaScript objects representing the parsed request body. Due to insufficient validation of multipart field names, specially crafted fields containing reserved property names such as `__proto__`, `constructor`, or `prototype` could be assigned directly to objects created during parsing. This allows an attacker to pollute object prototypes, potentially affecting other parts of the application that rely on these objects. **The vulnerability is limited to multipart request parsing and does not affect JSON or URL-encoded body parsing.** ### Impact Exploitation requires an application endpoint that accepts and parses `multipart/form-data` requests. If exploited, prototype pollution may lead to unexpected application behavior, logic bypasses, or security issues depending on how polluted objects are later consumed. The severity of the impact depends on application logic and usage patterns of the parsed request data. ### Patches Fixes targeting v6 and v7 have been published below. Users should upgrade to a version that includes the following fix: - https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3 - https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9

How to fix CVE-2026-25754

To remediate CVE-2026-25754, upgrade the affected package to a fixed version below.

• —upgrade to 10.1.3 or later

Is CVE-2026-25754 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)