Incomplete Fix for CVE-2026-25754 in @adonisjs/bodyparser Leads to CVE-2026-48795
An incomplete fix for CVE-2026-25754 in the `@adonisjs/bodyparser` package, tracked as CVE-2026-48795, allows remote unauthenticated attackers to bypass security measures via nested prototype pollution payloads in `multipart/form-data` requests, potentially leading to authorization bypasses or remote code execution.
The @adonisjs/bodyparser package for AdonisJS applications contains a critical vulnerability, CVE-2026-48795, which is an incomplete fix for a previously identified prototype pollution flaw (CVE-2026-25754). This vulnerability affects versions >= 10.1.3 < 10.1.5 and >= 11.0.0-next.9 < 11.0.3. An unauthenticated attacker can remotely exploit this by sending a specially crafted multipart/form-data request. The bypass occurs because the underlying lodash.set() utility, used via @poppinss/utils, still creates intermediate objects that regain access to Object.prototype when payloads like user.__proto__.polluted are used. This allows for process-wide Object.prototype pollution, which can have severe consequences for the affected application, including authorization bypasses, unexpected behavior, or even remote code execution via gadget chains.
Attack Chain
- An unauthenticated attacker identifies a vulnerable AdonisJS application accepting
multipart/form-datarequests. - The attacker crafts an HTTP POST request with a
multipart/form-datacontent type. - The request body contains a form field whose name is a prototype pollution payload, structured to bypass the original fix, such as
user.__proto__.polluted. - The vulnerable
@adonisjs/bodyparsercomponent processes the incomingmultipart/form-datarequest. - During parsing,
@adonisjs/bodyparserutilizeslodash.set()(via@poppinss/utils) to construct form fields. lodash.set()creates intermediate objects using plain{}values, which re-introduce theObject.prototypeinto the inheritance chain once a "normal" segment (e.g.,user) is processed before__proto__.- This action successfully pollutes the global
Object.prototypewithin the application's process. - The polluted
Object.prototypecan then be leveraged by the attacker to trigger authorization bypasses, unexpected application behavior, or remote code execution by exploiting existing prototype pollution gadget chains.
Impact
Successful exploitation of CVE-2026-48795 grants an unauthenticated attacker the ability to pollute the Object.prototype across the entire application process. This critical issue means that any route accepting multipart/form-data requests behind BodyParserMiddleware is vulnerable. The direct consequences can include authorization bypasses, allowing attackers to gain unauthorized access or elevate privileges within the application. Furthermore, the pollution can cause unpredictable behavior in various downstream libraries or enable exploitation of prototype pollution gadget chains, potentially leading to full remote code execution on the server hosting the AdonisJS application.
Recommendation
- Patch CVE-2026-48795 immediately by upgrading
@adonisjs/bodyparserto version10.1.5or11.0.3or later. - Review application logs for
multipart/form-dataPOST requests containing__proto__orconstructor.prototypein form field names, indicative of attempted exploitation.