CVE-2026-25754

HIGH7.2EPSS 0.02%

AdonisJS multipart body parsing has Prototype Pollution issue

發布日:2026/2/6修改日:2026/2/7
也稱為:GHSA-f5x2-vj4h-vg4c

描述

### Description A Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts `@adonisjs/bodyparser` through version `10.1.2` and `11.x` prerelease versions prior to `11.0.0-next.8`. This issue has been patched in `@adonisjs/bodyparser` versions `10.1.3` and `11.0.0-next.9` ### Details AdonisJS parses `multipart/form-data` requests via the BodyParser package. During multipart parsing, form field names are used to construct plain JavaScript objects representing the parsed request body. Due to insufficient validation of multipart field names, specially crafted fields containing reserved property names such as `__proto__`, `constructor`, or `prototype` could be assigned directly to objects created during parsing. This allows an attacker to pollute object prototypes, potentially affecting other parts of the application that rely on these objects. **The vulnerability is limited to multipart request parsing and does not affect JSON or URL-encoded body parsing.** ### Impact Exploitation requires an application endpoint that accepts and parses `multipart/form-data` requests. If exploited, prototype pollution may lead to unexpected application behavior, logic bypasses, or security issues depending on how polluted objects are later consumed. The severity of the impact depends on application logic and usage patterns of the parsed request data. ### Patches Fixes targeting v6 and v7 have been published below. Users should upgrade to a version that includes the following fix: - https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3 - https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 3.1HIGH7.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

參考連結(5)