CVE-2026-25754: AdonisJS multipart body parsing has Prototype Pollution issue
(updated )
A Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts @adonisjs/bodyparser through version 10.1.2 and 11.x prerelease versions prior to 11.0.0-next.8. This issue has been patched in @adonisjs/bodyparser versions 10.1.3 and 11.0.0-next.9
References
- github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed
- github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9
- github.com/adonisjs/core
- github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c
- github.com/advisories/GHSA-f5x2-vj4h-vg4c
- nvd.nist.gov/vuln/detail/CVE-2026-25754
Code Behaviors & Features
Detect and mitigate CVE-2026-25754 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →