CVE-2026-48795 in AdonisJS
Summary
by MITRE • 07/16/2026
AdonisJS is a TypeScript-first web framework. From 10.1.3 until 10.1.5 and 11.0.3, AdonisJS @adonisjs/bodyparser incompletely fixed CVE-2026-25754 because nested multipart field payloads such as user.__proto__.polluted and constructor.prototype still caused lodash _.set() via @poppinss/utils to create plain intermediate objects and pollute Object.prototype. This issue is fixed in versions 10.1.5 and 11.0.3.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability described represents a prototype pollution issue affecting AdonisJS applications that utilize the @adonisjs/bodyparser package. This security flaw specifically impacts versions between 10.1.3 and 10.1.5, as well as 11.0.0 through 11.0.2, where the initial fix for CVE-2026-25754 was deemed incomplete. The vulnerability arises from insufficient validation of multipart form data payloads that contain nested field names designed to manipulate JavaScript object prototypes. When maliciously crafted requests are processed through the body parsing middleware, these payloads can cause the lodash _.set() function to create intermediate objects that inadvertently pollute the Object.prototype chain.
The technical execution of this vulnerability occurs when AdonisJS processes multipart form data containing specially crafted field names such as user._proto_.polluted or constructor.prototype. These field names exploit weaknesses in how the @poppinss/utils library handles nested object property assignment, allowing attackers to inject properties into the prototype of all objects in the application. The use of lodash _.set() function becomes problematic because it does not properly sanitize these nested property paths, enabling attackers to modify fundamental object behaviors and potentially execute arbitrary code through prototype manipulation attacks. This issue falls under CWE-471, which specifically addresses the modification of objects during their construction process.
The operational impact of this vulnerability extends beyond simple data corruption, as prototype pollution can lead to severe security consequences including denial of service conditions, privilege escalation, and potential remote code execution in certain contexts. Applications using affected versions of AdonisJS are at risk of having their object prototypes polluted with malicious properties that could be leveraged by attackers to manipulate application behavior or compromise system integrity. The vulnerability is particularly concerning because it can be exploited through HTTP request parameters without requiring authentication, making it a significant threat vector for web applications.
Organizations running affected AdonisJS applications should immediately upgrade to versions 10.1.5 or 11.0.3 where the fix has been properly implemented. The mitigation strategy involves not only updating the framework components but also implementing additional input validation measures at the application level to further reduce attack surface. Security teams should conduct comprehensive code reviews to identify any custom implementations that might be vulnerable to similar prototype pollution attacks, and consider implementing prototype pollution detection mechanisms as part of their defensive strategies. This vulnerability demonstrates the importance of thorough testing for security fixes and adherence to secure coding practices that prevent manipulation of core object properties in web applications.
The ATT&CK framework categorizes this vulnerability under T1590 for reconnaissance activities related to identifying application weaknesses, and potentially T1190 for exploiting vulnerabilities in web applications. Organizations should implement monitoring solutions that can detect unusual object prototype modifications or suspicious multipart form data patterns to identify potential exploitation attempts. Additionally, implementing proper input sanitization at multiple layers of the application architecture provides defense-in-depth protection against similar prototype pollution vulnerabilities that may not be fully addressed by framework updates alone.