DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25762: Infinite Stream of Death: Crashing AdonisJS with Unbounded Buffers

#security #cve #cybersecurity

Infinite Stream of Death: Crashing AdonisJS with Unbounded Buffers

Vulnerability ID: CVE-2026-25762
CVSS Score: 7.5
Published: 2026-02-06

A classic but devastating Denial of Service vulnerability in the AdonisJS framework's @adonisjs/bodyparser package. By exploiting the multipart file parser's eagerness to identify file types (magic numbers), an attacker can stream an infinite amount of data into a memory buffer that never flushes. This results in a rapid consumption of server RAM, triggering an Out-of-Memory (OOM) crash and effectively taking down the application with a single malicious POST request.

TL;DR

The AdonisJS bodyparser tries to auto-detect file types by reading the start of a file stream. Before the patch, it didn't stop reading if it couldn't find a match. Attackers can send an endless stream of garbage, causing the server to buffer it all until it crashes from memory exhaustion.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400 (Uncontrolled Resource Consumption)
  • CVSS: 7.5 (High)
  • Attack Vector: Network (Remote)
  • Availability Impact: High (Service Crash)
  • Exploit Status: Trivial / PoC reproducible
  • EPSS Score: 0.00012 (Low probability of mass exploitation)

Affected Systems

  • AdonisJS Framework
  • @adonisjs/bodyparser middleware
  • @adonisjs/bodyparser: < 10.1.3 (Fixed in: 10.1.3)
  • @adonisjs/bodyparser: < 11.0.0-next.9 (Fixed in: 11.0.0-next.9)

Exploit Details

  • Hypothetical: Standard infinite HTTP body streaming attack using Python requests or curl.

Mitigation Strategies

  • Update @adonisjs/bodyparser to a patched version immediately.
  • Implement a reverse proxy (Nginx/HAProxy) with strict 'client_max_body_size' limits.
  • Monitor Node.js process memory usage for anomalous spikes.

Remediation Steps:

  1. Run npm install @adonisjs/bodyparser@latest or specifically target 10.1.3 / 11.0.0-next.9.
  2. Restart the application service.
  3. Verify the fix by attempting to upload a large file with an unrecognizable header (safe testing).

References

Read the full report for CVE-2026-25762 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)