GHSA-f5x2-vj4h-vg4c

Suggest an improvement
Source
https://github.com/advisories/GHSA-f5x2-vj4h-vg4c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-f5x2-vj4h-vg4c/GHSA-f5x2-vj4h-vg4c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f5x2-vj4h-vg4c
Aliases
Published
2026-02-06T19:27:30Z
Modified
2026-02-07T00:52:31.326313Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
AdonisJS multipart body parsing has Prototype Pollution issue
Details

Description

A Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts @adonisjs/bodyparser through version 10.1.2 and 11.x prerelease versions prior to 11.0.0-next.8. This issue has been patched in @adonisjs/bodyparser versions 10.1.3 and 11.0.0-next.9

Details

AdonisJS parses multipart/form-data requests via the BodyParser package. During multipart parsing, form field names are used to construct plain JavaScript objects representing the parsed request body.

Due to insufficient validation of multipart field names, specially crafted fields containing reserved property names such as __proto__, constructor, or prototype could be assigned directly to objects created during parsing. This allows an attacker to pollute object prototypes, potentially affecting other parts of the application that rely on these objects.

The vulnerability is limited to multipart request parsing and does not affect JSON or URL-encoded body parsing.

Impact

Exploitation requires an application endpoint that accepts and parses multipart/form-data requests.

If exploited, prototype pollution may lead to unexpected application behavior, logic bypasses, or security issues depending on how polluted objects are later consumed. The severity of the impact depends on application logic and usage patterns of the parsed request data.

Patches

Fixes targeting v6 and v7 have been published below.

Users should upgrade to a version that includes the following fix: - https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3 - https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9

Database specific 
{
    "nvd_published_at": "2026-02-06T23:15:54Z",
    "github_reviewed_at": "2026-02-06T19:27:30Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-1321"
    ],
    "github_reviewed": true
}
References

Affected packages

npm / @adonisjs/bodyparser

Package

Name
@adonisjs/bodyparser
View open source insights on deps.dev
Purl
pkg:npm/%40adonisjs/bodyparser

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.1.3

Database specific

last_known_affected_version_range 
"<= 10.1.2"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-f5x2-vj4h-vg4c/GHSA-f5x2-vj4h-vg4c.json"

npm / @adonisjs/bodyparser

Package

Name
@adonisjs/bodyparser
View open source insights on deps.dev
Purl
pkg:npm/%40adonisjs/bodyparser

Affected ranges

Type
SEMVER
Events
Introduced
11.0.0-next.0
Fixed
11.0.0-next.9

Database specific

last_known_affected_version_range 
"<= 11.0.0-next.8"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-f5x2-vj4h-vg4c/GHSA-f5x2-vj4h-vg4c.json"