PT-2026-54440 · Npm · @Adonisjs/Bodyparser
Publicado
2026-06-30
·
Atualizado
2026-06-30
·
CVE-2026-48795
CVSS v3.1
8.6
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |
Summary
The fix for GHSA-f5x2-vj4h-vg4c / CVE-2026-25754 introduced in commit
40e1c71 is incomplete and can be bypassed through nested prototype pollution payloads.The original patch replaced the internal
FormFields storage object with Object.create(null), preventing direct payloads such as proto .polluted. However, payloads containing a non-dangerous segment before proto or constructor.prototype, such as user. proto .polluted, still lead to Object.prototype pollution.This issue is exploitable remotely through a single unauthenticated
multipart/form-data request using the default configuration.Affected versions
>= 10.1.3 < 10.1.5>= 11.0.0-next.9 < 11.0.3
Details
The regression tests added by the original fix only covered direct payloads such as:
proto .pollutedconstructor.prototype.polluted
These payloads are blocked because the root object no longer inherits from
Object.prototype.However, lodash
.set() (via @poppinss/utils) still creates intermediate objects using plain {} values. Once a normal segment is encountered, subsequent proto or constructor.prototype segments regain access to Object.prototype.Impact
An unauthenticated attacker can remotely pollute
Object.prototype on any route accepting multipart/form-data requests behind BodyParserMiddleware.Because the pollution is process-wide, the impact may include authorization bypasses, unexpected behavior in downstream libraries, or prototype pollution gadget chains leading to remote code execution.
Patches
Fixes targeting v6 and v7 have been published below.
Users should upgrade to a version that includes the following fix:
- https://github.com/adonisjs/bodyparser/releases/tag/v10.1.5
- https://github.com/adonisjs/bodyparser/releases/tag/v11.0.3
References
- CWE-1321
- Prior advisory this bypasses: GHSA-f5x2-vj4h-vg4c / CVE-2026-25754
Correção
Prototype Pollution
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
@Adonisjs/Bodyparser