The vulnerability, tracked as CVE-2026-21440, affects the bodyparser module of the popular TypeScript-first web framework and carries a critical CVSS v4 severity rating.
The security flaw resides in AdonisJS’s multipart file-handling mechanism in the @adonisjs/bodyparser package.
When processing multipart/form-data uploads, the framework’s MultipartFile.move() method uses unsafe default options that fail to sanitize client-supplied filenames properly.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2026-21440 |
| Severity | Critical (CVSS v4: AV:N/AC:L/AT:P/PR:N/UI:N) |
| Affected Versions | ≤ 10.1.1, ≤ 11.0.0-next.5 |
| Weakness Type | CWE-22 (Path Traversal) |
Attackers can exploit this weakness by submitting specially crafted filenames containing path traversal sequences (such as “../”) to escape intended upload directories and write files to arbitrary locations on the server.
Exploitation requires a reachable upload endpoint that developers can use with MultipartFile.move() without proper filename sanitization. The vulnerability’s default configuration allows file overwrites, amplifying the threat.
If attackers can overwrite application code, startup scripts, or configuration files, remote code execution becomes possible depending on filesystem permissions and deployment configuration.
Security researcher Wodzen discovered and reported this vulnerability on GitHub, which affects @adonisjs/bodyparser versions up to 10.1.1 and prerelease versions 11.0.0-next.5 and earlier.
AdonisJS has released security patches for versions 6 and 7. Developers should immediately upgrade to @adonisjs/bodyparser version 10.1.2 or 11.0.0-next.6.
Organizations using affected versions should audit their upload endpoints and implement explicit filename sanitization as an additional security layer.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical AdonisJS Vulnerability Allow Remote Attacker to Write Files On Server appeared first on Cyber Security News.
Less than an hour before showtime, eight Concord High School girls helped put tiny braids…
The rural character of the Kearsarge region defines almost every dimension of food access for…
If you’re planning an overnight trip to the Pemigewasset Wilderness, add one thing to your…
Publisher Sega and developer Creative Assembly have revealed what appears to be a teaser trailer…
US President Donald Trump used a lone gunman’s storming of the lobby outside the White House Correspondents’ Dinner on…
AMHERST — Performances by local and student bands, an art walk at campus galleries and…
This website uses cookies.