Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN029
_____________________________________________________________________

DATE                : 14/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running @adonisjs/lucid versions prior to
                                   21.8.2, 22.0.0-next.6.

=====================================================================
https://github.com/adonisjs/lucid/security/advisories/GHSA-g5gc-h5hp-555f
_____________________________________________________________________


Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM
State
High
RomainLanz published GHSA-g5gc-h5hp-555f Jan 13, 2026

Package
@adonisjs/lucid

Affected versions
<= 21.8.1
<= 22.0.0-next.5

Patched versions
21.8.2
22.0.0-next.6


Description

Summary

Description
A Mass Assignment (CWE-915) vulnerability in AdonisJS Lucid may allow
a remote attacker who can influence data that is passed into Lucid
model assignments to overwrite the internal ORM state. This may lead
to logic bypasses and unauthorized record modification within a table
or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x
pre-release versions prior to 22.0.0-next.6. This has been patched in
@adonisjs/lucid versions 21.8.2 and 22.0.0-next.6.


Details

A vulnerability in the BaseModelImpl class of @adonisjs/lucid may
allow an attacker to overwrite internal class properties (such as
$isPersisted, $attributes, or $isDeleted) when passing plain objects
to model assignment methods.

The library relies on a this.hasOwnProperty(key) check to validate
assignment targets. However, because internal ORM state properties
are initialized as instance properties, they pass this check.
Consequently, if an attacker can influence specific keys
(like $isPersisted) into the payload passed to merge() or
$consumeAdapterResult(), they can hijack the ORM's internal logic.

The exposed internal properties include:

    $attributes: The raw storage for model data.
    $isPersisted: Controls whether save() performs an INSERT or
an UPDATE.
    $original: Stores the original state of the record used to
calculate changes.
    $isDeleted: Prevents operations on deleted models.

This issue propagates to the entire write surface of the library,
including:

    Instance methods fill and merge.
    Single record creation methods create, createQuietly, firstOrNew,
and firstOrCreate.
    Conditional updates via updateOrCreate.
    Bulk operations createMany, createManyQuietly, fetchOrNewUpMany,
fetchOrCreateMany, and updateOrCreateMany.


Impact

Applications are vulnerable if they pass unvalidated data or validated
data that retains unknown properties to the model. This occurs because
internal keys exist as instance properties, causing them to pass the
hasOwnProperty check and bypass Lucid's default rejection of unknown
properties.

Applications utilizing strict allow lists for input validation that
discard unknown properties are not affected.

For example, if a developer passes request.all(), request.except() or
a schema with allowUnknownProperties to Model.create(), the ORM's internal
logic can be hijacked. Because the Model.create() > save() decision is
based on $isPersisted, and merge() can assign to the own-property
$isPersisted, an attacker who can inject "$isPersisted": true into the
payload can force save() to take the UPDATE branch rather than the INSERT
branch, while setting $attributes can bypass validators or field
restrictions.


Patches

This issue has been patched in @adonisjs/lucid version 21.8.2 and
22.0.0-next.6. Please upgrade to this version or later.

Developers can mitigate this issue by strictly validating model inputs
with an allow list that drops unknown keys if possible.


Severity
High
8.2/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User interaction None
Vulnerable System Impact Metrics
Confidentiality None
Integrity High
Availability None
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

CVE ID
CVE-2026-22814

Weaknesses
Weakness CWE-915

Credits

    @wodzen wodzen Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================