Critical AdonisJS Vulnerability Allow Remote Attacker to Write Files On Server

Posted on By CWS

A essential path traversal vulnerability in AdonisJS has been found that would enable distant attackers to jot down arbitrary information to server filesystems, doubtlessly main to finish system compromise.

The vulnerability, tracked as CVE-2026-21440, impacts the bodyparser module of the favored TypeScript-first net framework and carries a essential CVSS v4 severity score.​

The safety flaw resides in AdonisJS’s multipart file-handling mechanism within the @adonisjs/bodyparser bundle.

When processing multipart/form-data uploads, the framework’s MultipartFile.transfer() technique makes use of unsafe default choices that fail to sanitize client-supplied filenames correctly.

AttributeDetailsCVE IDCVE-2026-21440​SeverityCritical (CVSS v4: AV:N/AC:L/AT:P/PR:N/UI:N)​Affected Variations≤ 10.1.1, ≤ 11.0.0-next.5​Weak point TypeCWE-22 (Path Traversal)​

Attackers can exploit this weak point by submitting specifically crafted filenames containing path traversal sequences (corresponding to “../”) to flee supposed add directories and write information to arbitrary places on the server.​

Exploitation requires a reachable add endpoint that builders can use with MultipartFile.transfer() with out correct filename sanitization. The vulnerability’s default configuration permits file overwrites, amplifying the risk.

If attackers can overwrite software code, startup scripts, or configuration information, distant code execution turns into doable relying on filesystem permissions and deployment configuration.​

Safety researcher Wodzen found and reported this vulnerability on GitHub, which impacts @adonisjs/bodyparser variations as much as 10.1.1 and prerelease variations 11.0.0-next.5 and earlier.​

AdonisJS has launched safety patches for variations 6 and seven. Builders ought to instantly improve to @adonisjs/bodyparser model 10.1.2 or 11.0.0-next.6.

Organizations utilizing affected variations ought to audit their add endpoints and implement specific filename sanitization as an extra safety layer.

Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , , ,

Related Posts

New Supply Chain Attack Targets Legitimate npm Package with 45,000 Weekly Downloads Cyber Security News
Interlock Ransomware With Double Extortion Tactics Attacking Windows and Linux Systems Cyber Security News
8 New Malicious Firefox Extensions Steal OAuth Tokens, Passwords, and Spy on Users Cyber Security News
Citrix NetScaler ADC and Gateway Vulnerability Enables Cross-Site Scripting Attacks Cyber Security News
Ashen Lepus Hacker Group Attacks Eastern Diplomatic Entities With New AshTag Malware Cyber Security News
Beware of Weaponized ScreenConnect App That Delivers AsyncRAT and PowerShell RAT Cyber Security News