<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cpe:2.3:a:adonisjs:bodyparser:11.0.0:next2:*:*:*:node.js:*:* - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/cpes/cpe2.3aadonisjsbodyparser11.0.0next2node.js/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 13:04:13 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/cpes/cpe2.3aadonisjsbodyparser11.0.0next2node.js/feed.xml" rel="self" type="application/rss+xml"/><item><title>Incomplete Fix for CVE-2026-25754 in @adonisjs/bodyparser Leads to CVE-2026-48795</title><link>https://feed.craftedsignal.io/briefs/2026-07-adonisjs-bodyparser-incomplete-fix/</link><pubDate>Fri, 03 Jul 2026 13:04:13 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-adonisjs-bodyparser-incomplete-fix/</guid><description>An incomplete fix for CVE-2026-25754 in the `@adonisjs/bodyparser` package, tracked as CVE-2026-48795, allows remote unauthenticated attackers to bypass security measures via nested prototype pollution payloads in `multipart/form-data` requests, potentially leading to authorization bypasses or remote code execution.</description><content:encoded><![CDATA[<p>The <code>@adonisjs/bodyparser</code> package for AdonisJS applications contains a critical vulnerability, CVE-2026-48795, which is an incomplete fix for a previously identified prototype pollution flaw (CVE-2026-25754). This vulnerability affects versions <code>&gt;= 10.1.3 &lt; 10.1.5</code> and <code>&gt;= 11.0.0-next.9 &lt; 11.0.3</code>. An unauthenticated attacker can remotely exploit this by sending a specially crafted <code>multipart/form-data</code> request. The bypass occurs because the underlying <code>lodash.set()</code> utility, used via <code>@poppinss/utils</code>, still creates intermediate objects that regain access to <code>Object.prototype</code> when payloads like <code>user.__proto__.polluted</code> are used. This allows for process-wide <code>Object.prototype</code> pollution, which can have severe consequences for the affected application, including authorization bypasses, unexpected behavior, or even remote code execution via gadget chains.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a vulnerable AdonisJS application accepting <code>multipart/form-data</code> requests.</li>
<li>The attacker crafts an HTTP POST request with a <code>multipart/form-data</code> content type.</li>
<li>The request body contains a form field whose name is a prototype pollution payload, structured to bypass the original fix, such as <code>user.__proto__.polluted</code>.</li>
<li>The vulnerable <code>@adonisjs/bodyparser</code> component processes the incoming <code>multipart/form-data</code> request.</li>
<li>During parsing, <code>@adonisjs/bodyparser</code> utilizes <code>lodash.set()</code> (via <code>@poppinss/utils</code>) to construct form fields.</li>
<li><code>lodash.set()</code> creates intermediate objects using plain <code>{}</code> values, which re-introduce the <code>Object.prototype</code> into the inheritance chain once a &quot;normal&quot; segment (e.g., <code>user</code>) is processed before <code>__proto__</code>.</li>
<li>This action successfully pollutes the global <code>Object.prototype</code> within the application's process.</li>
<li>The polluted <code>Object.prototype</code> can then be leveraged by the attacker to trigger authorization bypasses, unexpected application behavior, or remote code execution by exploiting existing prototype pollution gadget chains.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-48795 grants an unauthenticated attacker the ability to pollute the <code>Object.prototype</code> across the entire application process. This critical issue means that any route accepting <code>multipart/form-data</code> requests behind <code>BodyParserMiddleware</code> is vulnerable. The direct consequences can include authorization bypasses, allowing attackers to gain unauthorized access or elevate privileges within the application. Furthermore, the pollution can cause unpredictable behavior in various downstream libraries or enable exploitation of prototype pollution gadget chains, potentially leading to full remote code execution on the server hosting the AdonisJS application.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-48795 immediately by upgrading <code>@adonisjs/bodyparser</code> to version <code>10.1.5</code> or <code>11.0.3</code> or later.</li>
<li>Review application logs for <code>multipart/form-data</code> POST requests containing <code>__proto__</code> or <code>constructor.prototype</code> in form field names, indicative of attempted exploitation.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>prototype-pollution</category><category>web-vulnerability</category><category>adonisjs</category><category>rce</category></item></channel></rss>