{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3aadonisjsbodyparser11.0.0next1node.js/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:adonisjs:bodyparser:*:*:*:*:*:node.js:*:*","cpe:2.3:a:adonisjs:bodyparser:11.0.0:next1:*:*:*:node.js:*:*","cpe:2.3:a:adonisjs:bodyparser:11.0.0:next2:*:*:*:node.js:*:*","cpe:2.3:a:adonisjs:bodyparser:11.0.0:next3:*:*:*:node.js:*:*","cpe:2.3:a:adonisjs:bodyparser:11.0.0:next4:*:*:*:node.js:*:*","cpe:2.3:a:adonisjs:bodyparser:11.0.0:next5:*:*:*:node.js:*:*","cpe:2.3:a:adonisjs:bodyparser:11.0.0:next6:*:*:*:node.js:*:*","cpe:2.3:a:adonisjs:bodyparser:11.0.0:next7:*:*:*:node.js:*:*","cpe:2.3:a:adonisjs:bodyparser:11.0.0:next8:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-25754"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@adonisjs/bodyparser (\u003e= 10.1.3 \u003c 10.1.5)","@adonisjs/bodyparser (\u003e= 11.0.0-next.9 \u003c 11.0.3)"],"_cs_severities":["high"],"_cs_tags":["prototype-pollution","web-vulnerability","adonisjs","rce"],"_cs_type":"advisory","_cs_vendors":["AdonisJS"],"content_html":"\u003cp\u003eThe \u003ccode\u003e@adonisjs/bodyparser\u003c/code\u003e package for AdonisJS applications contains a critical vulnerability, CVE-2026-48795, which is an incomplete fix for a previously identified prototype pollution flaw (CVE-2026-25754). This vulnerability affects versions \u003ccode\u003e\u0026gt;= 10.1.3 \u0026lt; 10.1.5\u003c/code\u003e and \u003ccode\u003e\u0026gt;= 11.0.0-next.9 \u0026lt; 11.0.3\u003c/code\u003e. An unauthenticated attacker can remotely exploit this by sending a specially crafted \u003ccode\u003emultipart/form-data\u003c/code\u003e request. The bypass occurs because the underlying \u003ccode\u003elodash.set()\u003c/code\u003e utility, used via \u003ccode\u003e@poppinss/utils\u003c/code\u003e, still creates intermediate objects that regain access to \u003ccode\u003eObject.prototype\u003c/code\u003e when payloads like \u003ccode\u003euser.__proto__.polluted\u003c/code\u003e are used. This allows for process-wide \u003ccode\u003eObject.prototype\u003c/code\u003e pollution, which can have severe consequences for the affected application, including authorization bypasses, unexpected behavior, or even remote code execution via gadget chains.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable AdonisJS application accepting \u003ccode\u003emultipart/form-data\u003c/code\u003e requests.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request with a \u003ccode\u003emultipart/form-data\u003c/code\u003e content type.\u003c/li\u003e\n\u003cli\u003eThe request body contains a form field whose name is a prototype pollution payload, structured to bypass the original fix, such as \u003ccode\u003euser.__proto__.polluted\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003e@adonisjs/bodyparser\u003c/code\u003e component processes the incoming \u003ccode\u003emultipart/form-data\u003c/code\u003e request.\u003c/li\u003e\n\u003cli\u003eDuring parsing, \u003ccode\u003e@adonisjs/bodyparser\u003c/code\u003e utilizes \u003ccode\u003elodash.set()\u003c/code\u003e (via \u003ccode\u003e@poppinss/utils\u003c/code\u003e) to construct form fields.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003elodash.set()\u003c/code\u003e creates intermediate objects using plain \u003ccode\u003e{}\u003c/code\u003e values, which re-introduce the \u003ccode\u003eObject.prototype\u003c/code\u003e into the inheritance chain once a \u0026quot;normal\u0026quot; segment (e.g., \u003ccode\u003euser\u003c/code\u003e) is processed before \u003ccode\u003e__proto__\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThis action successfully pollutes the global \u003ccode\u003eObject.prototype\u003c/code\u003e within the application's process.\u003c/li\u003e\n\u003cli\u003eThe polluted \u003ccode\u003eObject.prototype\u003c/code\u003e can then be leveraged by the attacker to trigger authorization bypasses, unexpected application behavior, or remote code execution by exploiting existing prototype pollution gadget chains.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-48795 grants an unauthenticated attacker the ability to pollute the \u003ccode\u003eObject.prototype\u003c/code\u003e across the entire application process. This critical issue means that any route accepting \u003ccode\u003emultipart/form-data\u003c/code\u003e requests behind \u003ccode\u003eBodyParserMiddleware\u003c/code\u003e is vulnerable. The direct consequences can include authorization bypasses, allowing attackers to gain unauthorized access or elevate privileges within the application. Furthermore, the pollution can cause unpredictable behavior in various downstream libraries or enable exploitation of prototype pollution gadget chains, potentially leading to full remote code execution on the server hosting the AdonisJS application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-48795 immediately by upgrading \u003ccode\u003e@adonisjs/bodyparser\u003c/code\u003e to version \u003ccode\u003e10.1.5\u003c/code\u003e or \u003ccode\u003e11.0.3\u003c/code\u003e or later.\u003c/li\u003e\n\u003cli\u003eReview application logs for \u003ccode\u003emultipart/form-data\u003c/code\u003e POST requests containing \u003ccode\u003e__proto__\u003c/code\u003e or \u003ccode\u003econstructor.prototype\u003c/code\u003e in form field names, indicative of attempted exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:04:13Z","date_published":"2026-07-03T13:04:13Z","id":"https://feed.craftedsignal.io/briefs/2026-07-adonisjs-bodyparser-incomplete-fix/","summary":"An incomplete fix for CVE-2026-25754 in the `@adonisjs/bodyparser` package, tracked as CVE-2026-48795, allows remote unauthenticated attackers to bypass security measures via nested prototype pollution payloads in `multipart/form-data` requests, potentially leading to authorization bypasses or remote code execution.","title":"Incomplete Fix for CVE-2026-25754 in @adonisjs/bodyparser Leads to CVE-2026-48795","url":"https://feed.craftedsignal.io/briefs/2026-07-adonisjs-bodyparser-incomplete-fix/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:adonisjs:bodyparser:11.0.0:next1:*:*:*:node.js:*:*","version":"https://jsonfeed.org/version/1.1"}