CVE-2026-25762: AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection

February 6, 2026 (updated February 7, 2026)

A Denial of Service (DoS) vulnerability (CWE-400) exists in the multipart file handling logic of @adonisjs/bodyparser. When processing file uploads, the multipart parser may accumulate an unbounded amount of data in memory while attempting to detect file types, potentially leading to excessive memory consumption and process termination.

This issue affects applications that accept multipart/form-data uploads using affected versions of @adonisjs/bodyparser.

References

github.com/adonisjs/bodyparser/releases/tag/v10.1.3
github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9
github.com/adonisjs/core
github.com/adonisjs/core/security/advisories/GHSA-xx9g-fh25-4q64
github.com/advisories/GHSA-xx9g-fh25-4q64
nvd.nist.gov/vuln/detail/CVE-2026-25762

Code Behaviors & Features

Detect and mitigate CVE-2026-25762 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →