CVE-2026-25762
📋 TL;DR
AdonisJS multipart file upload handler has a memory exhaustion vulnerability that allows attackers to cause denial of service by uploading specially crafted files. This affects all applications using vulnerable versions of @adonisjs/bodyparser. The vulnerability can lead to application crashes due to excessive memory consumption.
💻 Affected Systems
- AdonisJS
- @adonisjs/bodyparser
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete application downtime due to process termination from memory exhaustion, potentially affecting all users of the service.
Likely Case
Service degradation or temporary unavailability for users during file upload operations, with automatic recovery after process restart.
If Mitigated
Minimal impact with proper rate limiting, file size restrictions, and monitoring in place to detect abnormal memory usage patterns.
🎯 Exploit Status
Exploitation requires only the ability to upload files to the vulnerable endpoint, making it accessible to attackers with minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.1.3 or 11.0.0-next.9
Vendor Advisory: https://github.com/adonisjs/core/security/advisories/GHSA-xx9g-fh25-4q64
Restart Required: Yes
Instructions:
1. Update @adonisjs/bodyparser to version 10.1.3 or 11.0.0-next.9 using npm or yarn. 2. Update package.json to lock the new version. 3. Restart the application server. 4. Test file upload functionality.
🔧 Temporary Workarounds
Implement file size limits
allConfigure maximum file size restrictions in AdonisJS bodyparser configuration to limit memory consumption
// In config/bodyparser.ts
const bodyParserConfig = {
multipart: {
maxSize: '10mb', // Adjust based on your needs
// other configurations
}
}
Disable file type detection
allTurn off automatic file type detection in multipart processing if not required
// In config/bodyparser.ts
const bodyParserConfig = {
multipart: {
detectFileType: false,
// other configurations
}
}
🧯 If You Can't Patch
- Implement strict rate limiting on file upload endpoints to prevent mass exploitation
- Deploy a reverse proxy or WAF with request size limiting and DoS protection in front of the application
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for @adonisjs/bodyparser version. If version is below 10.1.3 (for v10) or not 11.0.0-next.9 or higher (for v11), the system is vulnerable.Check Version:
npm list @adonisjs/bodyparserVerify Fix Applied:
Verify @adonisjs/bodyparser version is 10.1.3 or higher (for v10) or 11.0.0-next.9 or higher (for v11) using npm list @adonisjs/bodyparser📡 Detection & Monitoring
Log Indicators:
- Abnormally high memory usage spikes during file upload operations
- Process termination/crash logs related to out-of-memory errors
- Unusually large file upload requests in application logs
Network Indicators:
- Multiple large file upload requests from single IP addresses
- Abnormal traffic patterns to file upload endpoints
SIEM Query:
source="application.logs" ("out of memory" OR "process terminated" OR "memory limit") AND ("upload" OR "multipart" OR "file")