{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25754", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T18:35:52.357Z", "datePublished": "2026-02-06T22:48:38.668Z", "dateUpdated": "2026-02-09T15:26:12.060Z"}, "containers": {"cna": {"title": "AdonisJS multipart body parsing has Prototype Pollution issue", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c"}, {"name": "https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed", "tags": ["x_refsource_MISC"], "url": "https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed"}, {"name": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9"}], "affected": [{"vendor": "adonisjs", "product": "core", "versions": [{"version": "< 10.1.3", "status": "affected"}, {"version": "< 11.0.0-next.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T22:48:38.668Z"}, "descriptions": [{"lang": "en", "value": "AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9."}], "source": {"advisory": "GHSA-f5x2-vj4h-vg4c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T15:21:49.378875Z", "id": "CVE-2026-25754", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:26:12.060Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25754", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T15:21:49.378875Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:21:50.322Z"}}], "cna": {"title": "AdonisJS multipart body parsing has Prototype Pollution issue", "source": {"advisory": "GHSA-f5x2-vj4h-vg4c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "adonisjs", "product": "core", "versions": [{"status": "affected", "version": "< 10.1.3"}, {"status": "affected", "version": "< 11.0.0-next.9"}]}], "references": [{"url": "https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c", "name": "https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed", "name": "https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9", "name": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T22:48:38.668Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25754", "state": "PUBLISHED", "dateUpdated": "2026-02-09T15:26:12.060Z", "dateReserved": "2026-02-05T18:35:52.357Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T22:48:38.668Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adonisjs:bodyparser:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A2D0EAB1-2749-484C-8CF3-C51E5E934279", "versionEndExcluding": "10.1.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:adonisjs:bodyparser:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "020CFEB2-5732-42CA-B05A-5BE722B7EC41", "versionEndExcluding": "11.0.0", "versionStartIncluding": "10.1.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:adonisjs:bodyparser:11.0.0:next1:*:*:*:node.js:*:*", "matchCriteriaId": "E7CB148B-B37C-4BAB-8F9A-B2E028FDE19A", "vulnerable": true}, {"criteria": "cpe:2.3:a:adonisjs:bodyparser:11.0.0:next2:*:*:*:node.js:*:*", "matchCriteriaId": "250E3E4D-B54A-4AD9-93C0-D26DE41B8CF8", "vulnerable": true}, {"criteria": "cpe:2.3:a:adonisjs:bodyparser:11.0.0:next3:*:*:*:node.js:*:*", "matchCriteriaId": "2DFE6131-7D0C-4B69-B4C0-F77BA58E9F3F", "vulnerable": true}, {"criteria": "cpe:2.3:a:adonisjs:bodyparser:11.0.0:next4:*:*:*:node.js:*:*", "matchCriteriaId": "99B68074-366C-4B96-909D-E49DFE3D240A", "vulnerable": true}, {"criteria": "cpe:2.3:a:adonisjs:bodyparser:11.0.0:next5:*:*:*:node.js:*:*", "matchCriteriaId": "349D208E-B74B-4BEE-9958-9E9FC7BB73BA", "vulnerable": true}, {"criteria": "cpe:2.3:a:adonisjs:bodyparser:11.0.0:next6:*:*:*:node.js:*:*", "matchCriteriaId": "51559F52-A6DF-4CD4-A763-36AA17AFB0CB", "vulnerable": true}, {"criteria": "cpe:2.3:a:adonisjs:bodyparser:11.0.0:next7:*:*:*:node.js:*:*", "matchCriteriaId": "FCDAA05D-1138-4C7B-9AA8-1627996390C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:adonisjs:bodyparser:11.0.0:next8:*:*:*:node.js:*:*", "matchCriteriaId": "0C3D4CD4-4DF6-440B-9D4D-E0E36273434A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9."}, {"lang": "es", "value": "AdonisJS es un framework web con prioridad en TypeScript. Antes de las versiones 10.1.3 y 11.0.0-next.9, una vulnerabilidad de contaminaci\u00f3n de prototipos en el an\u00e1lisis de datos de formulario multipart de AdonisJS podr\u00eda permitir a un atacante remoto manipular prototipos de objetos en tiempo de ejecuci\u00f3n. Este problema ha sido parcheado en las versiones 10.1.3 y 11.0.0-next.9."}], "id": "CVE-2026-25754", "lastModified": "2026-03-17T20:42:28.537", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-06T23:15:54.390", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:18:21.225157+00:00", "value": {"mitigation_remediation": ["Upgrade adonisjs core and bodyparser to version 10.1.3 or later, and to 11.0.0\u2011next.9 or later for newer releases.", "Review application routes that accept multipart form data and ensure they are only exposed to trusted users or protected by proper authentication and input validation.", "If an immediate upgrade is not possible, implement a temporary defense by inspecting multipart requests for unexpected object properties and rejecting requests that attempt to set prototype-related fields, or use a WAF rule that blocks requests containing suspicious multipart payloads."], "summary": {"action": "Patch", "impact": "Prototype Pollution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the AdonisJS core library, specifically the bodyparser middleware used for multipart form data. All versions of adonisjs:core released before v10.1.3 and before the v11.0.0\u2011next.9 release are impacted. Upgrading to v10.1.3 or v11.0.0\u2011next.9 and later mitigates the issue.", "description_and_impact": "AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0\u2011next.9, multipart form\u2011data parsing contains a prototype pollution vulnerability that can be exploited by a remote attacker to manipulate JavaScript object prototypes at runtime. This flaw can alter application behavior, potentially enabling malicious code execution or data tampering if the polluted prototypes influence subsequent logic.", "risk_and_exploitability": "The CVSS score of 7.2 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is currently expected to be rare. The vulnerability is not listed in CISA's KEV catalog. Attackers would need to send a crafted multipart form\u2011data request to an exposed endpoint that uses the bodyparser; the flaw is exploitable remotely without authentication, therefore the attack vector is inferred to be network-based."}}}}, "created": "2026-02-09T10:45:14.845111+00:00", "updated": "2026-04-17T22:30:29.587158+00:00", "vendors": ["adonisjs", "adonisjs$PRODUCT$bodyparser"]}