Romain Lanz

**Name of the Vulnerable Software and Affected Versions** AdonisJS versions prior to 10.1.3 AdonisJS versions 11.0.0-next.0 through 11.0.0-next.8 **Description** A prototype pollution issue in AdonisJS multipart form-data parsing could allow a remote attacker to manipulate object prototypes during runtime. The vulnerability is limited to multipart request parsing and does not affect JSON or URL-encoded body parsing. Exploitation requires an application endpoint that accepts and parses `multipart/form-data` requests. If exploited, prototype pollution may lead to unexpected application behavior or logic bypasses, depending on how polluted objects are consumed. The vulnerability impacts the `@adonisjs/bodyparser` package through version `10.1.2` and `11.x` prerelease versions prior to `11.0.0-next.9`. **Recommendations** Upgrade to AdonisJS version 10.1.3 or later. Upgrade to AdonisJS version 11.0.0-next.9 or later.