CVE-2026-48795

AdonisJS · Core (BodyParser)

A prototype pollution vulnerability exists in the AdonisJS BodyParser component, allowing unauthenticated attackers to modify object prototype attributes.

Executive summary

A critical prototype pollution vulnerability in the AdonisJS BodyParser component allows unauthenticated attackers to potentially modify application logic or cause denial of service.

Vulnerability

This vulnerability is a prototype pollution flaw (CWE-1321) residing in the BodyParser package. It allows an unauthenticated remote attacker to inject malicious properties into the object prototype, which can lead to unauthorized data manipulation or service instability.

Business impact

Successful exploitation of this flaw can result in significant security compromises, including the alteration of application behavior and potential remote code execution depending on the application environment. With a CVSS score of 8.6, this is a high-severity issue that necessitates immediate attention to prevent data integrity loss or system downtime.

Remediation

Immediate Action: Update the @adonisjs/bodyparser package to version 10.1.5 or 11.0.3 immediately to incorporate the necessary security patches.

Proactive Monitoring: Monitor application logs for unusual request patterns, particularly those involving nested JSON objects or suspicious payload structures that attempt to modify object properties.

Compensating Controls: Deploy a Web Application Firewall (WAF) configured to inspect and block incoming JSON payloads that contain prototype-related keywords like proto, constructor, or prototype.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability presents a substantial risk to any application utilizing the AdonisJS BodyParser component. Administrators should prioritize the update process and verify that their dependency management systems correctly reflect the patched versions. Failure to remediate this flaw exposes the application to potential logic manipulation and service disruption.