CVE-2026-48795
JavaScript Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-48795 is an incomplete fix bypass vulnerability in the @adonisjs/bodyparser npm package that allows unauthenticated remote attackers to perform prototype pollution via nested multipart/form-data field names. It was first published by maintainer RomainLanz on May 28, 2026, and added to the GitHub Advisory Database on June 30, 2026. The vulnerability affects versions >= 10.1.3, < 10.1.5 and >= 11.0.0-next.9, < 11.0.3 of @adonisjs/bodyparser. It carries a CVSS v3.1 base score of 8.6 (High) (Github Advisory).

Détails techniques

The root cause is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). The prior fix for CVE-2026-25754 (GHSA-f5x2-vj4h-vg4c), introduced in commit 40e1c71, replaced the internal FormFields storage object with Object.create(null) to block direct prototype pollution payloads like __proto__.polluted or constructor.prototype.polluted. However, this fix is incomplete: because lodash _.set() (used internally via @poppinss/utils) creates intermediate objects as plain {} literals, a nested payload such as user.__proto__.polluted=yes causes lodash to traverse into a normal intermediate object that does inherit from Object.prototype, allowing subsequent __proto__ segments to successfully pollute it. The vulnerability is exploitable remotely via a single unauthenticated multipart/form-data HTTP request on any route protected by BodyParserMiddleware (Github Advisory, Incomplete Fix Commit).

Impact

Successful exploitation allows an unauthenticated attacker to pollute Object.prototype process-wide in the Node.js application. Because the pollution is global, downstream libraries and application logic that rely on inherited object properties may behave unexpectedly, potentially leading to authorization bypasses, logic errors, or exploitation of prototype pollution gadget chains that could result in remote code execution. The CVSS assessment reflects low confidentiality and integrity impact alongside high availability impact, reflecting the broad disruption that process-wide prototype pollution can cause (Github Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify a target AdonisJS application running @adonisjs/bodyparser versions >= 10.1.3, < 10.1.5 or >= 11.0.0-next.9, < 11.0.3. Look for any route that accepts file uploads or multipart/form-data submissions.
  2. Craft malicious payload: Construct a multipart/form-data HTTP request with a field name containing a nested prototype pollution path, such as user.__proto__.polluted or user.constructor.prototype.polluted, with an attacker-controlled value (e.g., yes).
  3. Send unauthenticated request: Submit the crafted request to the target endpoint. No authentication or special headers are required beyond a valid multipart/form-data content type.
  4. Trigger lodash traversal: The BodyParserMiddleware processes the field name via lodash _.set() (through @poppinss/utils). The user segment creates a plain {} intermediate object inheriting from Object.prototype, and the subsequent __proto__ segment then successfully modifies Object.prototype.
  5. Achieve process-wide pollution: The polluted property (e.g., polluted: 'yes') is now present on Object.prototype for the entire Node.js process, potentially enabling authorization bypasses, logic manipulation, or gadget-chain-based remote code execution depending on the application's downstream usage (Github Advisory).

Indicateurs de compromis

  • Network: Unexpected multipart/form-data POST requests to application endpoints containing field names with patterns like __proto__, constructor.prototype, or nested variants such as [segment].__proto__.[key] in the request body.
  • Logs: Application or web server access logs showing multipart/form-data requests with unusual field name structures; Node.js error logs reflecting unexpected property access or type errors in downstream libraries following such requests.
  • Process Behavior: Unexpected application behavior such as authorization checks returning incorrect results, properties appearing on plain objects that were not explicitly set, or crashes in libraries that check for inherited properties unexpectedly.

Atténuation et solutions de contournement

Users should upgrade @adonisjs/bodyparser to version 10.1.5 (for the v10 branch) or 11.0.3 (for the v11 branch), both released on May 22, 2026, which include fixes for nested prototype pollution (v10.1.5 Release, v11.0.3 Release). No configuration-based workaround is documented; upgrading is the only recommended remediation. As a temporary measure, operators may consider disabling or restricting routes that accept multipart/form-data input until the upgrade can be applied.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté JavaScript Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-54504HIGH8.8
  • JavaScript logoJavaScript
  • @andrea9293/mcp-documentation-server
NonOuiJul 15, 2026
CVE-2026-50289HIGH8.7
  • JavaScript logoJavaScript
  • systeminformation
NonOuiJul 15, 2026
CVE-2026-48795HIGH8.6
  • JavaScript logoJavaScript
  • @adonisjs/bodyparser
NonOuiJul 15, 2026
CVE-2026-50272HIGH7.5
  • JavaScript logoJavaScript
  • dd-trace
NonOuiJul 15, 2026
CVE-2026-54490MEDIUM6.3
  • JavaScript logoJavaScript
  • websocket-driver
NonOuiJul 15, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités