adonisjs CVE Vulnerabilities & Metrics

Focus on adonisjs vulnerabilities and metrics.

Last updated: 29 Mar 2026, 22:25 UTC

About adonisjs Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with adonisjs. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total adonisjs CVEs: 3
Earliest CVE date: 21 Sep 2021, 17:15 UTC
Latest CVE date: 06 Feb 2026, 23:15 UTC

Latest CVE reference: CVE-2026-25762

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 2

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical adonisjs CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 1.93

Max CVSS: 5.8

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	2
4.0-6.9	1
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS adonisjs CVEs

These are the five CVEs with the highest CVSS scores for adonisjs, sorted by severity first and recency.

CVE-2021-23443 adonisjs Published on 21 Sep 2021, 17:15 UTC (CVSS: 5.8)
This affects the package edge.js before 5.3.2. A type confusion vulnerability can be used to bypass input sanitization when the input to be rendered is an array (instead of a string or a SafeValue), even if {{ }} are used.
CVE-2026-25762 adonisjs Published on 06 Feb 2026, 23:15 UTC (CVSS: 0)
AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a denial of service (DoS) vulnerability exists in the multipart file handling logic of @adonisjs/bodyparser. When processing file uploads, the multipart parser may accumulate an unbounded amount of data in memory while attempting to detect file types, potentially leading to excessive memory consumption and...
CVE-2026-25754 adonisjs Published on 06 Feb 2026, 23:15 UTC (CVSS: 0)
AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.

All CVEs for adonisjs

CVE-2026-25762 adonisjs vulnerability CVSS: 0 06 Feb 2026, 23:15 UTC

AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a denial of service (DoS) vulnerability exists in the multipart file handling logic of @adonisjs/bodyparser. When processing file uploads, the multipart parser may accumulate an unbounded amount of data in memory while attempting to detect file types, potentially leading to excessive memory consumption and process termination. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.

CVE-2026-25754 adonisjs vulnerability CVSS: 0 06 Feb 2026, 23:15 UTC

AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.

CVE-2021-23443 adonisjs vulnerability CVSS: 5.8 21 Sep 2021, 17:15 UTC

This affects the package edge.js before 5.3.2. A type confusion vulnerability can be used to bypass input sanitization when the input to be rendered is an array (instead of a string or a SafeValue), even if {{ }} are used.