AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.
{
"cwe_ids": [
"CWE-1321"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25754.json",
"cna_assigner": "GitHub_M"
}{
"cpe": [
"cpe:2.3:a:adonisjs:bodyparser:*:*:*:*:*:node.js:*:*",
"cpe:2.3:a:adonisjs:bodyparser:11.0.0:next1:*:*:*:node.js:*:*",
"cpe:2.3:a:adonisjs:bodyparser:11.0.0:next2:*:*:*:node.js:*:*",
"cpe:2.3:a:adonisjs:bodyparser:11.0.0:next3:*:*:*:node.js:*:*",
"cpe:2.3:a:adonisjs:bodyparser:11.0.0:next4:*:*:*:node.js:*:*",
"cpe:2.3:a:adonisjs:bodyparser:11.0.0:next5:*:*:*:node.js:*:*",
"cpe:2.3:a:adonisjs:bodyparser:11.0.0:next6:*:*:*:node.js:*:*",
"cpe:2.3:a:adonisjs:bodyparser:11.0.0:next7:*:*:*:node.js:*:*",
"cpe:2.3:a:adonisjs:bodyparser:11.0.0:next8:*:*:*:node.js:*:*"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "10.1.3"
},
{
"introduced": "10.1.4"
},
{
"fixed": "11.0.0"
},
{
"introduced": "11.0.0-next1"
},
{
"last_affected": "11.0.0-next1"
},
{
"introduced": "11.0.0-next2"
},
{
"last_affected": "11.0.0-next2"
},
{
"introduced": "11.0.0-next3"
},
{
"last_affected": "11.0.0-next3"
},
{
"introduced": "11.0.0-next4"
},
{
"last_affected": "11.0.0-next4"
},
{
"introduced": "11.0.0-next5"
},
{
"last_affected": "11.0.0-next5"
},
{
"introduced": "11.0.0-next6"
},
{
"last_affected": "11.0.0-next6"
},
{
"introduced": "11.0.0-next7"
},
{
"last_affected": "11.0.0-next7"
},
{
"introduced": "11.0.0-next8"
},
{
"last_affected": "11.0.0-next8"
}
],
"source": [
"CPE_RANGE",
"CPE_STRING",
"REFERENCES"
]
}