CVE-2026-25754 Overview
CVE-2026-25754 is a prototype pollution vulnerability in the AdonisJS bodyparser package, a multipart form-data parser used by the AdonisJS TypeScript-first web framework. Remote attackers can manipulate JavaScript object prototypes at runtime by submitting crafted multipart form-data payloads to vulnerable endpoints. The flaw affects bodyparser versions prior to 10.1.3 and 11.0.0-next.9, and is tracked under [CWE-1321] (Improperly Controlled Modification of Object Prototype Attributes).
The vulnerability requires no authentication and no user interaction. Exploitation can alter application logic, bypass security controls, or enable secondary attacks such as denial of service or code execution depending on downstream usage of polluted properties.
Critical Impact
Unauthenticated remote attackers can pollute Object.prototype through multipart form-data requests, potentially altering runtime behavior of every AdonisJS application object.
Affected Products
- AdonisJS bodyparser versions prior to 10.1.3
- AdonisJS bodyparser11.0.0-next.1 through 11.0.0-next.8
- AdonisJS core applications relying on the vulnerable bodyparser package
Discovery Timeline
- 2026-02-06 - CVE-2026-25754 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-25754
Vulnerability Analysis
The vulnerability resides in how the AdonisJS bodyparser package processes multipart form-data fields and merges them into JavaScript objects. When the parser encounters specially crafted field names referencing prototype-controlling keys such as __proto__, constructor, or prototype, it assigns attacker-controlled values directly onto the base Object.prototype rather than the intended request body object.
Because every JavaScript object inherits from Object.prototype, polluted properties become globally readable across the running Node.js process. Subsequent code paths that perform property lookups against untrusted keys can read attacker-supplied values, leading to authorization bypasses, configuration tampering, or logic corruption. The attack vector is network-based and requires no privileges.
Root Cause
The root cause is a recursive object-merge routine in the form-data parser that fails to sanitize or block dangerous property names before assignment. Without an allow-list or explicit Object.create(null) target, the parser walks keys such as __proto__.polluted=1 and writes to the prototype chain. The patch, applied in commit 40e1c71f958cffb74f6b91bed6630dca979062ed, filters these reserved keys during multipart parsing.
Attack Vector
An attacker sends an HTTP POST request with Content-Type: multipart/form-data to any AdonisJS endpoint that accepts request bodies. The crafted form fields use nested key notation targeting __proto__ or constructor.prototype. Once parsed, the injected properties persist on Object.prototype for the lifetime of the Node.js worker, affecting all concurrent and subsequent requests.
No authentication is required and the attack scope is changed, meaning impact extends beyond the vulnerable component into other parts of the application runtime. Refer to the GitHub Security Advisory GHSA-f5x2-vj4h-vg4c for technical details on the affected parsing logic.
Detection Methods for CVE-2026-25754
Indicators of Compromise
- Multipart form-data requests containing field names with __proto__, constructor, or prototype substrings in the Content-Disposition header.
- Unexpected properties appearing on objects across unrelated request handlers or background jobs.
- Application errors or anomalous behavior immediately following parsing of untrusted multipart payloads.
Detection Strategies
- Inspect HTTP request bodies and form-field names at the web application firewall (WAF) or reverse proxy for prototype-pollution payload signatures.
- Audit installed @adonisjs/bodyparser versions across Node.js deployments and flag versions earlier than 10.1.3 or 11.0.0-next.9.
- Add runtime sentinels that read properties such as ({}).polluted at health-check intervals to identify a polluted prototype.
Monitoring Recommendations
- Forward Node.js application logs and reverse-proxy access logs to a centralized analytics platform for query-driven hunting on prototype-pollution patterns.
- Alert on multipart requests where field names contain [__proto__], [constructor][prototype], or URL-encoded equivalents.
- Monitor process restart frequency and unexpected exception rates that may indicate exploited prototype tampering.
How to Mitigate CVE-2026-25754
Immediate Actions Required
- Upgrade @adonisjs/bodyparser to version 10.1.3 for the stable branch or 11.0.0-next.9 for the next branch.
- Audit the dependency tree with npm ls @adonisjs/bodyparser and rebuild deployment artifacts after upgrading.
- Restart all Node.js workers to discard any prototype state potentially polluted before patching.
Patch Information
The maintainers fixed the issue in commit 40e1c71f, released as part of v11.0.0-next.9 and version 10.1.3. The patch rejects multipart fields that target prototype-controlling keys during body parsing.
Workarounds
- Disable multipart form-data parsing on endpoints that do not require file uploads by adjusting config/bodyparser.ts to exclude the multipart type.
- Place a WAF rule in front of the application that blocks request bodies containing __proto__, constructor.prototype, or prototype field names.
- Validate and allow-list expected form-field names in controller logic before passing request data to downstream object merges.
# Configuration example
npm install @adonisjs/bodyparser@^10.1.3
# or for the next release line
npm install @adonisjs/bodyparser@11.0.0-next.9
npm ls @adonisjs/bodyparser
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
