Prototype Pollution Vulnerability in AdonisJS by AdonisJS Team
CVE-2026-25754

7.2HIGH

Key Information:

Vendor

Adonisjs

Status
Core
Vendor
CVE Published:
6 February 2026

What is CVE-2026-25754?

AdonisJS, a TypeScript-first web framework, has been found to have a prototype pollution vulnerability in its multipart form-data parsing module. This security issue could enable remote attackers to manipulate object prototypes at runtime, potentially leading to unexpected behavior in applications leveraging this framework. Mitigation is available in the patched versions 10.1.3 and 11.0.0-next.9, which should be adopted by all users to safeguard their applications.

Affected Version(s)

core < 10.1.3 < 10.1.3

core < 11.0.0-next.9 < 11.0.0-next.9

References

https://github.com/adonisjs/core/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/adonisjs/bodyparser/commit/40e1c71f958...
x_refsource_MISC
https://github.com/adonisjs/bodyparser/releases/tag/v11.0...
x_refsource_MISC

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.