DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25754: AdonisJS BodyParser: When a Form Field Eats the Universe

#security #cve #cybersecurity

AdonisJS BodyParser: When a Form Field Eats the Universe

Vulnerability ID: CVE-2026-25754
CVSS Score: 7.2
Published: 2026-02-06

A critical Prototype Pollution vulnerability in the AdonisJS @adonisjs/bodyparser package allows unauthenticated attackers to corrupt the global object prototype via crafted multipart form-data requests. By manipulating the __proto__ property during field accumulation, attackers can trigger Denial of Service, authentication bypasses, or potentially Remote Code Execution depending on the application's gadget chain.

TL;DR

The AdonisJS body parser initialized form field storage as a plain object ({}). This allowed attackers to inject properties into Object.prototype by sending form fields named __proto__.key. This pollutes the entire application runtime, affecting every object in the process.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1321 (Prototype Pollution)
  • CVSS v3.1: 7.2 (High)
  • Attack Vector: Network (AV:N)
  • Authentication: None (PR:N)
  • EPSS Score: 0.00036 (10.29%)
  • Exploit Status: PoC Available
  • Patch Commit: 40e1c71f958cffb74f6b91bed6630dca979062ed

Affected Systems

  • AdonisJS Framework (v10 and v11-next)
  • Node.js applications using @adonisjs/bodyparser
  • @adonisjs/bodyparser: < 10.1.3 (Fixed in: 10.1.3)
  • @adonisjs/bodyparser: < 11.0.0-next.9 (Fixed in: 11.0.0-next.9)

Code Analysis

Commit: 40e1c71

fix: use null as prototype for form fields collection

--- a/src/form_fields.ts
+++ b/src/form_fields.ts
-  #fields: any = {}
+  #fields: any = Object.create(null)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Advisory containing PoC logic for multipart form manipulation.

Mitigation Strategies

  • Upgrade @adonisjs/bodyparser packages immediately.
  • Implement WAF rules to block __proto__ and constructor keywords in request bodies.
  • Audit custom code for similar usage of plain objects ({}) as dictionaries for user input.

Remediation Steps:

  1. Identify the current version: npm list @adonisjs/bodyparser
  2. For v10 users: npm install @adonisjs/core@10.1.3
  3. For v11 users: npm install @adonisjs/core@11.0.0-next.9
  4. Restart the application service.

References

Read the full report for CVE-2026-25754 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)