AdonisJS Prototype Pollution Vulnerability in Multipart Form-Data Parsing

A prototype pollution vulnerability has been identified in AdonisJS versions prior to 10.1.3 and 11.0.0-next.9. This vulnerability exists within the framework's multipart form-data parsing, allowing remote attackers to manipulate object prototypes at runtime. The issue arises from inadequate validation of multipart field names, which can be exploited by crafting fields that include reserved property names such as '__proto__', 'constructor', or 'prototype'. When these fields are processed, they can directly alter object prototypes, potentially disrupting application behavior or introducing security risks.

Impact

Exploitation of this vulnerability can lead to prototype pollution, causing unexpected application behavior, logic bypasses, or security issues, depending on how the polluted objects are used within the application.

Reproduction

To reproduce this vulnerability, send a multipart/form-data request to an endpoint that processes this type of data. Include form fields that contain reserved property names such as '__proto__' or 'constructor'. The application should not properly sanitize these field names, allowing the reserved properties to be assigned to the parsed objects, thus polluting the prototype.

Remediation

Users should upgrade to AdonisJS versions 10.1.3 or 11.0.0-next.9, both of which include the necessary patch. Instructions for upgrading can be found in the release notes on the AdonisJS bodyparser GitHub repository.