A critical path traversal vulnerability has been discovered in AdonisJS’s multipart file handling, potentially allowing remote attackers to write arbitrary files to server locations outside the intended upload directory.
The vulnerability, tracked as CVE-2026-21440, affects @adonisjs/bodyparser versions through 10.1.1 and all 11.x prerelease versions prior to 11.0.0-next.6, with patches now available in versions 10.1.2 and 11.0.0-next.6.
The vulnerability resides in how AdonisJS handles the MultipartFile.move(location, options) function during multipart/form-data processing through the BodyParser middleware.
When the options parameter is omitted or doesn’t explicitly provide a sanitized filename, the system defaults to using the unsanitized client-supplied filename.
The vulnerable code constructs the destination path using path.join(location, name), which fails to validate traversal sequences embedded in the filename parameter properly.
Additionally, if developers don’t explicitly set the options, overwrite parameter, it defaults to true, permitting file overwrites at the calculated destination.
This combination creates a two-stage vulnerability: attackers can supply crafted filenames containing directory traversal sequences (such as “../../../”) to escape the intended upload directory and write files to arbitrary locations on the filesystem.
AdonisJS documentation previously demonstrated code examples that inadvertently guided developers toward this vulnerable implementation pattern, increasing the real-world attack surface.
Impact and Exploitation Requirements
Successful exploitation requires a reachable upload endpoint within the target application. Any developer who implements MultipartFile.move() without properly sanitizing the filename parameter or without explicitly providing the options argument exposes their application to this vulnerability.
Once an attacker gains the ability to write files outside the intended directory, multiple attack chains become feasible.
The most severe consequence involves remote code execution (RCE), which can be achieved if attackers overwrite application code, startup scripts, or configuration files that are subsequently executed or loaded by the runtime.
However, RCE is contingent on several factors, including filesystem permissions, deployment architecture, and application runtime behavior.
In restricted environments with proper permission segmentation, the vulnerability may be limited to file write capabilities without achieving code execution.
CVSS Severity Assessment
The vulnerability receives a critical CVSS v4.0 base score with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.
The metrics indicate a network-based attack vector with low complexity and no authentication requirements, though successful exploitation requires specific conditions to be present.
High impacts across confidentiality, integrity, and availability make this a critical security concern for organizations running vulnerable AdonisJS versions.
Organizations should immediately upgrade to @adonisjs/bodyparser version 10.1.2 or later for the stable branch, or version 11.0.0-next.6 for early adopters on the prerelease track.
Development teams should audit existing upload handlers to ensure proper filename sanitization and explicit options configuration.
The AdonisJS security team recommends implementing strict input validation on all client-supplied filenames and explicitly setting the overwrite parameter to false unless overwriting is expressly required and validated.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.