CVE-2026-25754

Description

A Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts @adonisjs/bodyparser through version 10.1.2 and 11.x prerelease versions prior to 11.0.0-next.8. This issue has been patched in @adonisjs/bodyparser versions 10.1.3 and 11.0.0-next.9

Details

AdonisJS parses multipart/form-data requests via the BodyParser package. During multipart parsing, form field names are used to construct plain JavaScript objects representing the parsed request body.

Due to insufficient validation of multipart field names, specially crafted fields containing reserved property names such as proto, constructor, or prototype could be assigned directly to objects created during parsing. This allows an attacker to pollute object prototypes, potentially affecting other parts of the application that rely on these objects.

The vulnerability is limited to multipart request parsing and does not affect JSON or URL-encoded body parsing.

Impact

Exploitation requires an application endpoint that accepts and parses multipart/form-data requests.

If exploited, prototype pollution may lead to unexpected application behavior, logic bypasses, or security issues depending on how polluted objects are later consumed. The severity of the impact depends on application logic and usage patterns of the parsed request data.

Patches

Fixes targeting v6 and v7 have been published below.

Users should upgrade to a version that includes the following fix:

• https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3
• https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9