CVE-2026-25754 in adonisjs
Summary
by MITRE • 02/07/2026
AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/17/2026
The vulnerability identified as CVE-2026-25754 represents a critical prototype pollution flaw within the AdonisJS web framework, affecting versions prior to 10.1.3 and 11.0.0-next.9. This security weakness specifically manifests during multipart form-data parsing operations, where the framework fails to properly sanitize user-supplied input before incorporating it into object prototypes. The issue stems from the framework's handling of form data that contains nested object properties, allowing malicious actors to inject prototype pollution payloads through carefully crafted input parameters. The vulnerability is particularly concerning because it operates at the core parsing layer of the framework, potentially affecting applications that rely heavily on form processing and user input validation. This type of vulnerability falls under the CWE-471 category of "Modification of Assumed-Immutable Data" and aligns with ATT&CK technique T1211 for "Exploitation for Privilege Escalation" when exploited in conjunction with other attack vectors.
The technical exploitation of this prototype pollution vulnerability occurs when an attacker submits form data containing specially crafted keys that manipulate the Object.prototype structure during parsing. The flaw allows attackers to inject properties into the prototype chain, which can subsequently affect all objects derived from that prototype. In the context of AdonisJS, this typically happens when multipart form data contains keys with nested property access patterns such as _proto_ or constructor. When the framework processes these inputs without proper sanitization, it directly assigns these values to object properties, thereby polluting the prototype chain. This can lead to various downstream security implications including but not limited to denial of service conditions, code execution in certain contexts, or manipulation of application behavior through prototype manipulation. The vulnerability is particularly dangerous because it affects the fundamental object model of javascript applications, potentially allowing attackers to modify core object methods or properties that are used throughout the application lifecycle.
The operational impact of CVE-2026-25754 extends beyond simple data corruption, as prototype pollution can cascade through application logic and potentially enable more sophisticated attacks. Applications built on AdonisJS that accept user input through multipart forms become vulnerable to this attack vector, with potential consequences ranging from unauthorized privilege escalation to complete application compromise. The vulnerability is particularly concerning in environments where applications process sensitive user data or where the framework is used in conjunction with other components that may be susceptible to prototype pollution attacks. Attackers can leverage this vulnerability to manipulate object behavior, potentially causing applications to execute unintended code paths or behave in unexpected ways. The impact is amplified when the framework is used in server-side rendering contexts or when applications rely on specific object behaviors that could be altered through prototype pollution. This vulnerability also affects the broader javascript ecosystem since prototype pollution can interact with other security flaws to create more severe attack scenarios.
Mitigation strategies for CVE-2026-25754 require immediate patching of affected AdonisJS versions to 10.1.3 or 11.0.0-next.9 where the vulnerability has been addressed through proper input sanitization and prototype chain validation. Organizations should implement comprehensive input validation at multiple layers, ensuring that form data parsing includes checks for potentially malicious prototype pollution indicators. The recommended approach includes implementing custom middleware or utilizing existing security libraries that can detect and neutralize prototype pollution attempts during form processing. Security teams should also consider implementing runtime protections such as prototype chain validation, object freezing, or using safer object creation patterns that prevent modification of prototype properties. Additionally, organizations should conduct thorough security assessments of their AdonisJS applications to identify any custom code that might be vulnerable to prototype pollution through indirect manipulation of object properties. The fix implemented in patched versions typically involves stricter validation of form field names and ensuring that special property identifiers like _proto_ and constructor are either rejected or properly escaped during the parsing process. This vulnerability underscores the importance of maintaining up-to-date framework versions and implementing comprehensive security controls that address both known and emerging threats in web application development environments.