CVE-2026-25754 | THREATINT

Description

AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.

PUBLISHED Reserved 2026-02-05 | Published 2026-02-06 | Updated 2026-02-09 | Assigner GitHub_M

HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Problem types

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Product status

< 10.1.3

affected

< 11.0.0-next.9

affected

References

github.com/...s/core/security/advisories/GHSA-f5x2-vj4h-vg4c

github.com/...ommit/40e1c71f958cffb74f6b91bed6630dca979062ed

github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9

cve.org (CVE-2026-25754)

nvd.nist.gov (CVE-2026-25754)

Download JSON