CVE-2026-25754
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
06/02/2026
Last modified:
17/03/2026
Description
AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.
Impact
Base Score 3.x
7.20
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:adonisjs:bodyparser:*:*:*:*:*:node.js:*:* | 10.1.3 (excluding) | |
| cpe:2.3:a:adonisjs:bodyparser:*:*:*:*:*:node.js:*:* | 10.1.4 (including) | 11.0.0 (excluding) |
| cpe:2.3:a:adonisjs:bodyparser:11.0.0:next1:*:*:*:node.js:*:* | ||
| cpe:2.3:a:adonisjs:bodyparser:11.0.0:next2:*:*:*:node.js:*:* | ||
| cpe:2.3:a:adonisjs:bodyparser:11.0.0:next3:*:*:*:node.js:*:* | ||
| cpe:2.3:a:adonisjs:bodyparser:11.0.0:next4:*:*:*:node.js:*:* | ||
| cpe:2.3:a:adonisjs:bodyparser:11.0.0:next5:*:*:*:node.js:*:* | ||
| cpe:2.3:a:adonisjs:bodyparser:11.0.0:next6:*:*:*:node.js:*:* | ||
| cpe:2.3:a:adonisjs:bodyparser:11.0.0:next7:*:*:*:node.js:*:* | ||
| cpe:2.3:a:adonisjs:bodyparser:11.0.0:next8:*:*:*:node.js:*:* |
To consult the complete list of CPE names with products and versions, see this page