CVE-2026-48795
AdonisJS · Core (BodyParser)
A prototype pollution vulnerability exists in the AdonisJS BodyParser component, allowing unauthenticated attackers to modify object prototype attributes.
Executive summary
A critical prototype pollution vulnerability in the AdonisJS BodyParser component allows unauthenticated attackers to potentially modify application logic or cause denial of service.
Vulnerability
This vulnerability is a prototype pollution flaw (CWE-1321) residing in the BodyParser package. It allows an unauthenticated remote attacker to inject malicious properties into the object prototype, which can lead to unauthorized data manipulation or service instability.
Business impact
Successful exploitation of this flaw can result in significant security compromises, including the alteration of application behavior and potential remote code execution depending on the application environment. With a CVSS score of 8.6, this is a high-severity issue that necessitates immediate attention to prevent data integrity loss or system downtime.
Remediation
Immediate Action: Update the @adonisjs/bodyparser package to version 10.1.5 or 11.0.3 immediately to incorporate the necessary security patches.
Proactive Monitoring: Monitor application logs for unusual request patterns, particularly those involving nested JSON objects or suspicious payload structures that attempt to modify object properties.
Compensating Controls: Deploy a Web Application Firewall (WAF) configured to inspect and block incoming JSON payloads that contain prototype-related keywords like proto, constructor, or prototype.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability presents a substantial risk to any application utilizing the AdonisJS BodyParser component. Administrators should prioritize the update process and verify that their dependency management systems correctly reflect the patched versions. Failure to remediate this flaw exposes the application to potential logic manipulation and service disruption.