A critical path traversal vulnerability in AdonisJS has been discovered that could allow remote attackers to write arbitrary files to server filesystems, potentially leading to complete system compromise.
The vulnerability, tracked as CVE-2026-21440, affects the bodyparser module of the popular TypeScript-first web framework and carries a critical CVSS v4 severity rating.
The security flaw resides in AdonisJS’s multipart file-handling mechanism in the @adonisjs/bodyparser package.
When processing multipart/form-data uploads, the framework’s MultipartFile.move() method uses unsafe default options that fail to sanitize client-supplied filenames properly.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2026-21440 |
| Severity | Critical (CVSS v4: AV:N/AC:L/AT:P/PR:N/UI:N) |
| Affected Versions | ≤ 10.1.1, ≤ 11.0.0-next.5 |
| Weakness Type | CWE-22 (Path Traversal) |
Attackers can exploit this weakness by submitting specially crafted filenames containing path traversal sequences (such as “../”) to escape intended upload directories and write files to arbitrary locations on the server.
Exploitation requires a reachable upload endpoint that developers can use with MultipartFile.move() without proper filename sanitization. The vulnerability’s default configuration allows file overwrites, amplifying the threat.
If attackers can overwrite application code, startup scripts, or configuration files, remote code execution becomes possible depending on filesystem permissions and deployment configuration.
Security researcher Wodzen discovered and reported this vulnerability on GitHub, which affects @adonisjs/bodyparser versions up to 10.1.1 and prerelease versions 11.0.0-next.5 and earlier.
AdonisJS has released security patches for versions 6 and 7. Developers should immediately upgrade to @adonisjs/bodyparser version 10.1.2 or 11.0.0-next.6.
Organizations using affected versions should audit their upload endpoints and implement explicit filename sanitization as an additional security layer.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
