Spring4shell in Adonisjs

Spring4shell (CVE-2022-22965) is a remote code execution (RCE) vulnerability in Spring Framework for Java, where an attacker exploits data binding to overwrite ClassLoader properties. While AdonisJS (a Node.js framework) is not vulnerable to the same Java-specific flaw, similar RCE patterns can emerge through unsafe request object mapping and prototype pollution in JavaScript/TypeScript applications.

In AdonisJS, a common anti-pattern is using request.all() or request.only() to mass-assign user input directly onto model instances or configuration objects. If an endpoint inadvertently allows control over nested properties like __proto__, constructor, or prototype, an attacker can pollute the object prototype chain and execute arbitrary code. This is conceptually analogous to Spring4shell's abuse of data binding to manipulate critical JVM properties.

AdonisJS-specific vulnerable code path:

// routes.ts
Route.post('/users', async ({ request, response }) => {
  // VULNERABLE: Direct mass assignment without property filtering
  const user = User.create(request.all())
  return response.created(user)
})

Here, if the request body includes { "__proto__": { "isAdmin": true } } or { "constructor": { "prototype": { "malicious": "code" } } }, Node.js's object prototype may be modified. If any subsequent code uses polluted objects (e.g., checking user.isAdmin), it could lead to privilege escalation or RCE when combined with other vulnerabilities like eval() or unsafe deserialization.

Detecting this class of vulnerability requires testing for mass assignment and prototype pollution in API endpoints. middleBrick's Input Validation and BOLA/IDOR checks include probes that attempt to inject dangerous properties (__proto__, constructor) into request payloads and observe behavioral changes in responses or server state.

For an AdonisJS API, middleBrick will:

• Send payloads like { "__proto__": { "admin": true } } to POST/PUT endpoints.
• Send follow-up requests to related endpoints to see if the polluted property persists (indicating object prototype modification).
• Analyze response differences, error messages, or side effects (e.g., newly created users with elevated privileges).

Example scan with middleBrick CLI:

middlebrick scan https://api.example.com/users

The resulting report will flag any endpoint where prototype pollution is possible, categorizing it under Input Validation (OWASP A03:2021 – Injection) with a severity based on exploitability. middleBrick's scoring (0–100) will reflect the risk, and findings will include precise request/response evidence and remediation steps tailored to AdonisJS.

Remediation in AdonisJS centers on strict input whitelisting and avoiding mass assignment. Use AdonisJS's built-in validator package to define explicit schemas that exclude dangerous properties.

Fixed code example:

import { schema, rules } from '@ioc:Adonis/Core/Validator'

const UserSchema = schema.create({
  name: schema.string({ trim: true }, [rules.minLength(2)]),
  email: schema.string({ trim: true }, [rules.email()]),
  // Only explicitly allowed fields
  age: schema.optional(schema.number([rules.min(18)])),
})

Route.post('/users', async ({ request, response }) => {
  const validated = await request.validate({ schema: UserSchema })
  // Safe: Only whitelisted fields are used
  const user = User.create(validated)
  return response.created(user)
})

Additional hardening:

• Never use request.all() or request.only() without a strict allow-list. Prefer request.only(['name', 'email']) with an explicit array of safe fields.
• Use request.except() to remove known dangerous keys, but whitelisting is more secure.
• For existing models, review any use of .merge() or .fill() with user input.
• Enable strict mode in config/app.ts to prevent accidental prototype pollution: prototypePollution: true (AdonisJS v5+).

After fixes, re-scan with middleBrick to confirm the Input Validation score improves and the finding is resolved.