Lucid Nightmares: Hijacking Internal State in AdonisJS
Jan 14, 2026·6 min read·6 visits
Executive Summary (TL;DR)
Developers using `request.all()` to fill Lucid models are inadvertantly handing attackers the keys to the ORM engine. CVE-2026-22814 allows the injection of internal properties (like `$isPersisted`), tricking the application into treating new records as existing ones (or vice versa) and bypassing field protection. Patch immediately to v21.8.2+.
A critical Mass Assignment vulnerability in the official AdonisJS ORM (@adonisjs/lucid) allows attackers to overwrite internal model state. By injecting reserved properties like '$isPersisted' or '$attributes', remote actors can bypass business logic, escalate privileges, and corrupt database integrity.
Official Patches
Fix Analysis (2)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
@adonisjs/lucid AdonisJS | <= 21.8.1 | 21.8.2 |
@adonisjs/lucid AdonisJS | >= 22.0.0-next.0, < 22.0.0-next.6 | 22.0.0-next.6 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-915 (Mass Assignment) |
| Attack Vector | Network (AV:N) |
| CVSS Score | 8.2 (High) |
| Impact | Integrity (High) |
| Exploit Status | PoC Available |
| KEV Status | Not Listed |
MITRE ATT&CK Mapping
The product allows input to modify dynamically-determined object attributes, but it does not prevent the modification of attributes that should be restricted.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.