Intel

AIKIDO-2026-334058

@adonisjs/http-server is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

61

Medium Risk

This Affects:

JS@adonisjs/http-server
7.0.0 - 8.2.0
Fixed in 8.2.1
9.0.0 - 9.0.2
Fixed in 9.1.0
Are you affected? Scan for Free

TL;DR

The base ExceptionHandler in the AdonisJS HTTP server renders error responses as HTML by interpolating error.message and validation message.field / message.message values directly into the markup without escaping. When an application serves HTML error responses in production and an error carries attacker-influenced content, such as a not-found route path or submitted validation field names, the raw values are reflected into the response body. A remote attacker can inject HTML or script that executes in the victim's browser, resulting in reflected cross-site scripting. The fix HTML-escapes the error message and validation field/message values before embedding them in the response.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application serves HTML error or validation responses that include user-supplied content.

Background info

@adonisjs/http-server is vulnerable to Cross-Site Scripting (XSS) in versions 7.0.0 - 8.2.0 and 9.0.0 - 9.0.2.

How to fix this

Upgrade the @adonisjs/http-server library to the patch version.