Summary The fix for [GHSA-f5x2-vj4h-vg4c](https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c) / CVE-2026-25754 introduced in commit [40e1c71](https://github.com/adonisjs/bodyparser/commit/40e1c71f9…
| CVE ID | CVE-2026-48795 |
| Vendor | npm |
| Affected Product | @adonisjs/bodyparser |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.6 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
40e1c71](https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed) is incomplete and can be bypassed through nested prototype pollution payloads. The original patch replaced the internal FormFields storage object with Object.create(null), preventing direct payloads such as __proto__.polluted. However, payloads containing a non-dangerous segment before __proto__ or constructor.prototype, such as user.__proto__.polluted, still lead to Object.prototype pollution. This issue is exploitable remotely through a single unauthenticated multipart/form-data request using the default configuration.Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.