GHSA-qcm7-3vpr-hj5h

Suggest an improvement
Source
https://github.com/advisories/GHSA-qcm7-3vpr-hj5h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-qcm7-3vpr-hj5h/GHSA-qcm7-3vpr-hj5h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qcm7-3vpr-hj5h
Aliases
  • CVE-2026-48795
Published
2026-06-30T18:34:32Z
Modified
2026-06-30T18:45:31.993319609Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H CVSS Calculator
Summary
@adonisjs/bodyparser has an incomplete fix for CVE-2026-25754
Details

Summary

The fix for GHSA-f5x2-vj4h-vg4c / CVE-2026-25754 introduced in commit 40e1c71 is incomplete and can be bypassed through nested prototype pollution payloads.

The original patch replaced the internal FormFields storage object with Object.create(null), preventing direct payloads such as __proto__.polluted. However, payloads containing a non-dangerous segment before __proto__ or constructor.prototype, such as user.__proto__.polluted, still lead to Object.prototype pollution.

This issue is exploitable remotely through a single unauthenticated multipart/form-data request using the default configuration.

Affected versions

  • >= 10.1.3 < 10.1.5
  • >= 11.0.0-next.9 < 11.0.3

Details

The regression tests added by the original fix only covered direct payloads such as:

  • __proto__.polluted
  • constructor.prototype.polluted

These payloads are blocked because the root object no longer inherits from Object.prototype.

However, lodash _.set() (via @poppinss/utils) still creates intermediate objects using plain {} values. Once a normal segment is encountered, subsequent __proto__ or constructor.prototype segments regain access to Object.prototype.

Impact

An unauthenticated attacker can remotely pollute Object.prototype on any route accepting multipart/form-data requests behind BodyParserMiddleware.

Because the pollution is process-wide, the impact may include authorization bypasses, unexpected behavior in downstream libraries, or prototype pollution gadget chains leading to remote code execution.

Patches

Fixes targeting v6 and v7 have been published below.

Users should upgrade to a version that includes the following fix:

  • https://github.com/adonisjs/bodyparser/releases/tag/v10.1.5
  • https://github.com/adonisjs/bodyparser/releases/tag/v11.0.3

References

Database specific
{
    "github_reviewed_at": "2026-06-30T18:34:32Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1321"
    ],
    "severity": "HIGH"
}
References

Affected packages

npm / @adonisjs/bodyparser

Package

Name
@adonisjs/bodyparser
View open source insights on deps.dev
Purl
pkg:npm/%40adonisjs%2Fbodyparser

Affected ranges

Type
SEMVER
Events
Introduced
10.1.3
Fixed
10.1.5

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-qcm7-3vpr-hj5h/GHSA-qcm7-3vpr-hj5h.json"
last_known_affected_version_range
"<= 10.1.4"

npm / @adonisjs/bodyparser

Package

Name
@adonisjs/bodyparser
View open source insights on deps.dev
Purl
pkg:npm/%40adonisjs%2Fbodyparser

Affected ranges

Type
SEMVER
Events
Introduced
11.0.0-next.9
Fixed
11.0.3

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-qcm7-3vpr-hj5h/GHSA-qcm7-3vpr-hj5h.json"
last_known_affected_version_range
"<= 11.0.1"