AdonisJS Vulnerability in Bodyparser Affects TypeScript Web Framework
CVE-2026-48795
8.6HIGH
What is CVE-2026-48795?
The @adonisjs/bodyparser module of the AdonisJS web framework contains a vulnerability that allows an attacker to manipulate object prototypes through nested multipart field payloads. Specifically, the improper handling of objects in the payload can lead to Object.prototype pollution, allowing for unexpected behavior in the application. This issue has been addressed in versions 10.1.5 and 11.0.3, which provide a complete fix for the conflicting handling mechanisms introduced in earlier versions. Developers are encouraged to upgrade to the latest versions to mitigate this risk.
Affected Version(s)
core >= 10.1.3, < 10.1.5 < 10.1.3, 10.1.5
core >= 11.0.0-next.9, < 11.0.3 < 11.0.0-next.9, 11.0.3
