
PEACH
Un cadre d’isolation des locataires
CVE-2026-48795 is an incomplete fix bypass vulnerability in the @adonisjs/bodyparser npm package that allows unauthenticated remote attackers to perform prototype pollution via nested multipart/form-data field names. It was first published by maintainer RomainLanz on May 28, 2026, and added to the GitHub Advisory Database on June 30, 2026. The vulnerability affects versions >= 10.1.3, < 10.1.5 and >= 11.0.0-next.9, < 11.0.3 of @adonisjs/bodyparser. It carries a CVSS v3.1 base score of 8.6 (High) (Github Advisory).
The root cause is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). The prior fix for CVE-2026-25754 (GHSA-f5x2-vj4h-vg4c), introduced in commit 40e1c71, replaced the internal FormFields storage object with Object.create(null) to block direct prototype pollution payloads like __proto__.polluted or constructor.prototype.polluted. However, this fix is incomplete: because lodash _.set() (used internally via @poppinss/utils) creates intermediate objects as plain {} literals, a nested payload such as user.__proto__.polluted=yes causes lodash to traverse into a normal intermediate object that does inherit from Object.prototype, allowing subsequent __proto__ segments to successfully pollute it. The vulnerability is exploitable remotely via a single unauthenticated multipart/form-data HTTP request on any route protected by BodyParserMiddleware (Github Advisory, Incomplete Fix Commit).
Successful exploitation allows an unauthenticated attacker to pollute Object.prototype process-wide in the Node.js application. Because the pollution is global, downstream libraries and application logic that rely on inherited object properties may behave unexpectedly, potentially leading to authorization bypasses, logic errors, or exploitation of prototype pollution gadget chains that could result in remote code execution. The CVSS assessment reflects low confidentiality and integrity impact alongside high availability impact, reflecting the broad disruption that process-wide prototype pollution can cause (Github Advisory).
@adonisjs/bodyparser versions >= 10.1.3, < 10.1.5 or >= 11.0.0-next.9, < 11.0.3. Look for any route that accepts file uploads or multipart/form-data submissions.multipart/form-data HTTP request with a field name containing a nested prototype pollution path, such as user.__proto__.polluted or user.constructor.prototype.polluted, with an attacker-controlled value (e.g., yes).multipart/form-data content type.BodyParserMiddleware processes the field name via lodash _.set() (through @poppinss/utils). The user segment creates a plain {} intermediate object inheriting from Object.prototype, and the subsequent __proto__ segment then successfully modifies Object.prototype.polluted: 'yes') is now present on Object.prototype for the entire Node.js process, potentially enabling authorization bypasses, logic manipulation, or gadget-chain-based remote code execution depending on the application's downstream usage (Github Advisory).multipart/form-data POST requests to application endpoints containing field names with patterns like __proto__, constructor.prototype, or nested variants such as [segment].__proto__.[key] in the request body.multipart/form-data requests with unusual field name structures; Node.js error logs reflecting unexpected property access or type errors in downstream libraries following such requests.Users should upgrade @adonisjs/bodyparser to version 10.1.5 (for the v10 branch) or 11.0.3 (for the v11 branch), both released on May 22, 2026, which include fixes for nested prototype pollution (v10.1.5 Release, v11.0.3 Release). No configuration-based workaround is documented; upgrading is the only recommended remediation. As a temporary measure, operators may consider disabling or restricting routes that accept multipart/form-data input until the upgrade can be applied.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."