What is the severity of CVE-2026-25754?

CVE-2026-25754 has a CVSS v3 score of 7.2, which is classified as High severity.

Is there an exploit available for CVE-2026-25754?

No known public exploits are currently available for CVE-2026-25754.

Is there a patch available for CVE-2026-25754?

Yes, patches are available for CVE-2026-25754. Check the vendor advisories for update instructions.

CVE-2026-25754 - CVE Details, Severity, and Analysis

Q: What is CVE-2026-25754?

### Description A Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts `@adonisjs/bodyparser` through version `10.1.2` and `11.x` prerelease versions prior to `11.0.0-next.8`. This issue has been patched in `@adonisjs/bodyparser` versions `10.1.3` and `11.0.0-next.9` ### Details AdonisJS parses `multipart/form-data` requests via the BodyParser package. During multipart parsing, form field names are used to construct plain JavaScript objects representing the parsed request body. Due to insufficient validation of multipart field names, specially crafted fields containing reserved property names such as `__proto__`, `constructor`, or `prototype` could be assigned directly to objects created during parsing. This allows an attacker to pollute object prototypes, potentially affecting other parts of the application that rely on these objects. **The vulnerability is limited to multipart request parsing and does not affect JSON or URL-encoded body parsing.** ### Impact Exploitation requires an application endpoint that accepts and parses `multipart/form-data` requests. If exploited, prototype pollution may lead to unexpected application behavior, logic bypasses, or security issues depending on how polluted objects are later consumed. The severity of the impact depends on application logic and usage patterns of the parsed request data. ### Patches Fixes targeting v6 and v7 have been published below. Users should upgrade to a version that includes the following fix: - https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3 - https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9

Severity Scores

CVSS v37.2

CVSS v20.0

Priority Score330.0

EPSS Score0.0

High

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

7.2

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

A Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts @adonisjs/bodyparser through version 10.1.2 and 11.x prerelease versions prior to 11.0.0-next.8. This issue has been patched in @adonisjs/bodyparser versions 10.1.3 and 11.0.0-next.9

Details

AdonisJS parses multipart/form-data requests via the BodyParser package. During multipart parsing, form field names are used to construct plain JavaScript objects representing the parsed request body.

Due to insufficient validation of multipart field names, specially crafted fields containing reserved property names such as __proto__, constructor, or prototype could be assigned directly to objects created during parsing. This allows an attacker to pollute object prototypes, potentially affecting other parts of the application that rely on these objects.

The vulnerability is limited to multipart request parsing and does not affect JSON or URL-encoded body parsing.

Impact

Exploitation requires an application endpoint that accepts and parses multipart/form-data requests.

If exploited, prototype pollution may lead to unexpected application behavior, logic bypasses, or security issues depending on how polluted objects are later consumed. The severity of the impact depends on application logic and usage patterns of the parsed request data.

Patches

Fixes targeting v6 and v7 have been published below.

Users should upgrade to a version that includes the following fix:

https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3
https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Network

User Interaction:Network

Scope:Changed

Confidentiality:Local

Integrity:Local

Availability:Network

Patch References

Github.com Github.com

Ready for Agentic Automated Testing?

CVE-2026-25754

Description

Details

Impact

Patches