Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/%40adonisjs/bodyparser@10.1.2
purl pkg:npm/%40adonisjs/bodyparser@10.1.2
Next non-vulnerable version 10.1.3
Latest non-vulnerable version 11.0.0-next.9
Risk
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-86dd-yfnr-y3ac
Aliases:
CVE-2026-25754
GHSA-f5x2-vj4h-vg4c
AdonisJS multipart body parsing has Prototype Pollution issue A Prototype Pollution vulnerability (CWE-1321) in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This impacts `@adonisjs/bodyparser` through version `10.1.2` and `11.x` prerelease versions prior to `11.0.0-next.8`. This issue has been patched in `@adonisjs/bodyparser` versions `10.1.3` and `11.0.0-next.9`
10.1.3
Affected by 0 other vulnerabilities.
11.0.0-next.9
Affected by 0 other vulnerabilities.
VCID-qj4q-bzvu-zfe4
Aliases:
CVE-2026-25762
GHSA-xx9g-fh25-4q64
AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection A Denial of Service (DoS) vulnerability (CWE-400) exists in the multipart file handling logic of `@adonisjs/bodyparser`. When processing file uploads, the multipart parser may accumulate an unbounded amount of data in memory while attempting to detect file types, potentially leading to excessive memory consumption and process termination. This issue affects applications that accept `multipart/form-data` uploads using affected versions of `@adonisjs/bodyparser`.
10.1.3
Affected by 0 other vulnerabilities.
11.0.0-next.9
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-zab6-k8c8-pqcq AdonisJS Path Traversal in Multipart File Handling **Description** A Path Traversal (CWE-22) vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6. CVE-2026-21440
GHSA-gvq6-hvvp-h34h

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-06T06:50:57.384322+00:00 GitLab Importer Affected by VCID-86dd-yfnr-y3ac https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@adonisjs/bodyparser/CVE-2026-25754.yml 38.6.0
2026-06-06T06:50:52.924477+00:00 GitLab Importer Affected by VCID-qj4q-bzvu-zfe4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@adonisjs/bodyparser/CVE-2026-25762.yml 38.6.0
2026-06-05T21:58:28.309576+00:00 GHSA Importer Affected by VCID-qj4q-bzvu-zfe4 https://github.com/advisories/GHSA-xx9g-fh25-4q64 38.6.0
2026-06-05T21:58:26.926666+00:00 GHSA Importer Affected by VCID-86dd-yfnr-y3ac https://github.com/advisories/GHSA-f5x2-vj4h-vg4c 38.6.0
2026-06-05T21:54:42.827210+00:00 GHSA Importer Fixing VCID-zab6-k8c8-pqcq https://github.com/advisories/GHSA-gvq6-hvvp-h34h 38.6.0
2026-06-04T16:54:35.447239+00:00 GithubOSV Importer Fixing VCID-zab6-k8c8-pqcq https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gvq6-hvvp-h34h/GHSA-gvq6-hvvp-h34h.json 38.6.0
2026-06-02T04:49:21.033628+00:00 GitLab Importer Fixing VCID-zab6-k8c8-pqcq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/@adonisjs/bodyparser/CVE-2026-21440.yml 38.6.0