CVE-2026-25754

Name of the Vulnerable Software and Affected Versions AdonisJS versions prior to 10.1.3 AdonisJS versions 11.0.0-next.0 through 11.0.0-next.8

Description A prototype pollution issue in AdonisJS multipart form-data parsing could allow a remote attacker to manipulate object prototypes during runtime. The vulnerability is limited to multipart request parsing and does not affect JSON or URL-encoded body parsing. Exploitation requires an application endpoint that accepts and parses multipart/form-data requests. If exploited, prototype pollution may lead to unexpected application behavior or logic bypasses, depending on how polluted objects are consumed. The vulnerability impacts the @adonisjs/bodyparser package through version 10.1.2 and 11.x prerelease versions prior to 11.0.0-next.9.

Recommendations Upgrade to AdonisJS version 10.1.3 or later. Upgrade to AdonisJS version 11.0.0-next.9 or later.