Security researcher Romain Lanz disclosed a flaw tracked as GHSA-gvq6-hvvp-h34h that allows unauthenticated attackers to write arbitrary files to server filesystems, potentially leading to remote code execution.
A critical path traversal vulnerability discovered in AdonisJS’s bodyparser module threatens applications relying on the popular TypeScript-first web framework.
Security researcher Romain Lanz disclosed the flaw tracked as GHSA-gvq6-hvvp-h34h which allows unauthenticated attackers to write arbitrary files to server filesystems, potentially leading to remote code execution.
The vulnerability lies in AdonisJS’s multipart file handling, specifically in the @adonisjs/bodyparser package.
When developers use the MultipartFile.move() method without properly sanitizing filenames, attackers can exploit path traversal sequences to bypass directory restrictions.
The root cause stems from unsafe default options. If developers omit the filename parameter during file uploads, the system defaults to using the client-supplied filename without sanitization.
By combining this with path.join() logic, attackers craft malicious filenames containing traversal sequences like “../” to escape intended upload directories and write files anywhere on the server.
Additionally, the overwrite option defaults to true, enabling attackers to overwrite existing files, amplifying the attack’s destructive potential.
Exploiting this vulnerability grants attackers arbitrary file-write access on the server. The immediate risk extends beyond simple file corruption if attackers overwrite application code, startup scripts, or configuration files that the application later executes; remote code execution becomes possible.
However, RCE success depends on multiple factors: filesystem permissions, deployment architecture, and whether the application overwrites files at runtime.
Exploitation requires access to a reachable upload endpoint, making this a remote attack vector.
The vulnerability impacts @adonisjs/bodyparser versions up to 10.1.1 and early prerelease versions 11.x before 11.0.0-next.6.
Developers using these versions face immediate risk if they haven’t implemented custom filename sanitization.
AdonisJS maintainers have released patches addressing the vulnerability in versions 10.1.2 and 11.0.0-next.6. Security-conscious developers should immediately upgrade to these patched versions.
For organizations unable to update immediately, implementing explicit filename sanitization before calling MultipartFile.move() provides temporary protection. Setting the options.
The name parameter to a validated, safe filename prevents traversal attacks.
Development teams should treat this as a high-priority security patch. Given the potential for remote code execution and the simplicity of exploitation, upgrading should occur within days rather than weeks.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.
The post Critical AdonisJS Vulnerability Allows Remote Attackers to Write Files on Servers appeared first on Cyber Security News.
According to industry reports, the number of connected Internet of Things (IoT) devices reached 16.6…
Medical technology giant Stryker Corporation confirmed on March 11, 2026, that it suffered a significant…
GREELEY, Colo. (AP) — Thousands of workers for the world’s largest meatpacking company began a…
One of the state’s most unusual colleges, the aviation-heavy Daniel Webster College that lasted next…
Curled wood shavings sprinkled across Jim McLaughlin’s workspace, filling the cabin connected to the garage…
For more than 150 years, a small band of Loudon property owners who live along…
This website uses cookies.