2 matches found
@adonisjs/bodyparser has an incomplete fix for CVE-2026-25754
Summary The fix for GHSA-f5x2-vj4h-vg4c / CVE-2026-25754 introduced in commit 40e1c71 is incomplete and can be bypassed through nested prototype pollution payloads. The original patch replaced the internal FormFields storage object with Object.createnull, preventing direct payloads such as...
CVE-2026-25754
creationtimestamp| type| source ---|---|--- 2026-02-08 03:10:06+00:00| seen| https://gist.github.com/alon710/8313d7afe645c9d035fed8ea6e3f58d8 2026-07-15 23:00:14+00:00| seen| https://bsky.app/profile/euvd-bot.bsky.social/post/3mqpt6omwjh2x 2026-07-16 00:27:26+00:00| seen|...