CVE-2026-25762
HIGH
GHSA-xx9g-fh25-4q64
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a denial of service (DoS) vulnerability exists in the multipart file handling logic of @adonisjs/bodyparser. When processing file uploads, the multipart parser may accumulate an unbounded amount of data in memory while attempting to detect file types, potentially leading to excessive memory consumption and process termination. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.
Analysis
Memory exhaustion in AdonisJS @adonisjs/bodyparser prior to versions 10.1.3 and 11.0.0-next.9 allows unauthenticated remote attackers to trigger denial of service by uploading files that cause unbounded memory accumulation during multipart parsing. The vulnerable multipart handler fails to enforce memory limits while processing file type detection, enabling attackers to exhaust server resources and crash the application. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running affected AdonisJS versions (prior to 10.1.3 or 11.0.0-next.9) and disable file upload functionality if possible. Within 7 days: Implement compensating controls such as WAF rules to limit upload sizes and request rates, apply network segmentation to isolate affected services, and monitor memory consumption on affected servers. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today