CVE-2026-25762 is a denial of service (DoS) vulnerability identified in the core of AdonisJS, a TypeScript-first web framework widely used for building server-side applications. The vulnerability specifically resides in the multipart file handling logic of the @adonisjs/bodyparser package, which is responsible for parsing multipart/form-data requests, commonly used for file uploads. In versions prior to 10.1.3 and 11.0.0-next.9, the multipart parser attempts to detect file types by accumulating data in memory without proper bounds checking. This uncontrolled resource consumption (CWE-400) can lead to excessive memory usage, causing the Node.js process to terminate unexpectedly due to out-of-memory conditions. The vulnerability does not require any authentication or user interaction, making it remotely exploitable by sending specially crafted multipart requests with large or numerous file uploads. The impact is limited to availability (denial of service), with no direct confidentiality or integrity compromise. The issue has been addressed in the patched versions 10.1.3 and 11.0.0-next.9 by implementing proper memory usage limits during file type detection. No known exploits have been reported in the wild as of the publication date, but the vulnerability poses a significant risk to applications relying on vulnerable versions of AdonisJS, especially those exposed to untrusted users or the internet. The CVSS v3.1 base score is 7.5, reflecting high severity due to network vector, low attack complexity, no privileges required, and no user interaction needed.

For European organizations, this vulnerability can lead to denial of service conditions in web applications built on vulnerable versions of AdonisJS. This can result in service outages, degraded user experience, and potential loss of business continuity, especially for public-facing applications handling file uploads. Organizations in sectors such as e-commerce, government services, and online platforms that rely on Node.js frameworks may face operational disruptions. The vulnerability could be exploited by attackers to cause repeated crashes or resource exhaustion, potentially leading to downtime during critical business hours. Although it does not compromise data confidentiality or integrity, the availability impact alone can have significant reputational and financial consequences. Additionally, remediation efforts during an active attack could divert IT resources and increase incident response costs.

European organizations should immediately upgrade any AdonisJS installations using @adonisjs/bodyparser to version 10.1.3 or later, or 11.0.0-next.9 or later, where the vulnerability is patched. Beyond upgrading, organizations should implement strict resource limits on file upload sizes and request rates at the web server or application firewall level to prevent abuse. Employing rate limiting and anomaly detection on multipart/form-data requests can help identify and block suspicious traffic patterns. Additionally, isolating file upload handling processes and monitoring memory usage metrics can provide early warning of exploitation attempts. Security teams should review application logs for unusual multipart upload activity and prepare incident response plans for potential DoS events. Regular dependency audits and timely patch management are critical to prevent exploitation of similar vulnerabilities.