GHSA-QCM7-3VPR-HJ5H
Vulnerability from github – Published: 2026-06-30 18:34 – Updated: 2026-06-30 18:34Summary
The fix for GHSA-f5x2-vj4h-vg4c / CVE-2026-25754 introduced in commit 40e1c71 is incomplete and can be bypassed through nested prototype pollution payloads.
The original patch replaced the internal FormFields storage object with Object.create(null), preventing direct payloads such as __proto__.polluted. However, payloads containing a non-dangerous segment before __proto__ or constructor.prototype, such as user.__proto__.polluted, still lead to Object.prototype pollution.
This issue is exploitable remotely through a single unauthenticated multipart/form-data request using the default configuration.
Affected versions
>= 10.1.3 < 10.1.5>= 11.0.0-next.9 < 11.0.3
Details
The regression tests added by the original fix only covered direct payloads such as:
__proto__.pollutedconstructor.prototype.polluted
These payloads are blocked because the root object no longer inherits from Object.prototype.
However, lodash _.set() (via @poppinss/utils) still creates intermediate objects using plain {} values. Once a normal segment is encountered, subsequent __proto__ or constructor.prototype segments regain access to Object.prototype.
Impact
An unauthenticated attacker can remotely pollute Object.prototype on any route accepting multipart/form-data requests behind BodyParserMiddleware.
Because the pollution is process-wide, the impact may include authorization bypasses, unexpected behavior in downstream libraries, or prototype pollution gadget chains leading to remote code execution.
Patches
Fixes targeting v6 and v7 have been published below.
Users should upgrade to a version that includes the following fix:
- https://github.com/adonisjs/bodyparser/releases/tag/v10.1.5
- https://github.com/adonisjs/bodyparser/releases/tag/v11.0.3
References
- CWE-1321
- Prior advisory this bypasses: GHSA-f5x2-vj4h-vg4c / CVE-2026-25754
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.1.4"
},
"package": {
"ecosystem": "npm",
"name": "@adonisjs/bodyparser"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.3"
},
{
"fixed": "10.1.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.0.1"
},
"package": {
"ecosystem": "npm",
"name": "@adonisjs/bodyparser"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0-next.9"
},
{
"fixed": "11.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48795"
],
"database_specific": {
"cwe_ids": [
"CWE-1321"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T18:34:32Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nThe fix for [GHSA-f5x2-vj4h-vg4c](https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c) / CVE-2026-25754 introduced in commit [`40e1c71`](https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed) is incomplete and can be bypassed through nested prototype pollution payloads.\n\nThe original patch replaced the internal `FormFields` storage object with `Object.create(null)`, preventing direct payloads such as `__proto__.polluted`. However, payloads containing a non-dangerous segment before `__proto__` or `constructor.prototype`, such as `user.__proto__.polluted`, still lead to `Object.prototype` pollution.\n\nThis issue is exploitable remotely through a single unauthenticated `multipart/form-data` request using the default configuration.\n\n### Affected versions\n\n- `\u003e= 10.1.3 \u003c 10.1.5`\n- `\u003e= 11.0.0-next.9 \u003c 11.0.3`\n\n### Details\n\nThe regression tests added by the original fix only covered direct payloads such as:\n\n- `__proto__.polluted`\n- `constructor.prototype.polluted`\n\nThese payloads are blocked because the root object no longer inherits from `Object.prototype`.\n\nHowever, lodash `_.set()` (via `@poppinss/utils`) still creates intermediate objects using plain `{}` values. Once a normal segment is encountered, subsequent `__proto__` or `constructor.prototype` segments regain access to `Object.prototype`.\n\n### Impact\n\nAn unauthenticated attacker can remotely pollute `Object.prototype` on any route accepting multipart/form-data requests behind `BodyParserMiddleware`.\n\nBecause the pollution is process-wide, the impact may include authorization bypasses, unexpected behavior in downstream libraries, or prototype pollution gadget chains leading to remote code execution.\n\n### Patches\n\nFixes targeting v6 and v7 have been published below.\n\nUsers should upgrade to a version that includes the following fix:\n\n- https://github.com/adonisjs/bodyparser/releases/tag/v10.1.5\n- https://github.com/adonisjs/bodyparser/releases/tag/v11.0.3\n\n### References\n\n- [CWE-1321](https://cwe.mitre.org/data/definitions/1321.html)\n- Prior advisory this bypasses: [GHSA-f5x2-vj4h-vg4c](https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c) / CVE-2026-25754",
"id": "GHSA-qcm7-3vpr-hj5h",
"modified": "2026-06-30T18:34:32Z",
"published": "2026-06-30T18:34:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c"
},
{
"type": "WEB",
"url": "https://github.com/adonisjs/core/security/advisories/GHSA-qcm7-3vpr-hj5h"
},
{
"type": "WEB",
"url": "https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed"
},
{
"type": "WEB",
"url": "https://github.com/adonisjs/bodyparser/releases/tag/v10.1.5"
},
{
"type": "WEB",
"url": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.3"
},
{
"type": "PACKAGE",
"url": "https://github.com/adonisjs/core"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "@adonisjs/bodyparser has an incomplete fix for CVE-2026-25754"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.