Critical AdonisJS Vulnerability Allow Remote Attacker to Write Files On Server

Posted on By CWS

A essential path traversal vulnerability in AdonisJS has been found that would enable distant attackers to jot down arbitrary information to server filesystems, doubtlessly main to finish system compromise.

The vulnerability, tracked as CVE-2026-21440, impacts the bodyparser module of the favored TypeScript-first net framework and carries a essential CVSS v4 severity score.​

The safety flaw resides in AdonisJS’s multipart file-handling mechanism within the @adonisjs/bodyparser bundle.

When processing multipart/form-data uploads, the framework’s MultipartFile.transfer() technique makes use of unsafe default choices that fail to sanitize client-supplied filenames correctly.

AttributeDetailsCVE IDCVE-2026-21440​SeverityCritical (CVSS v4: AV:N/AC:L/AT:P/PR:N/UI:N)​Affected Variations≤ 10.1.1, ≤ 11.0.0-next.5​Weak point TypeCWE-22 (Path Traversal)​

Attackers can exploit this weak point by submitting specifically crafted filenames containing path traversal sequences (corresponding to “../”) to flee supposed add directories and write information to arbitrary places on the server.​

Exploitation requires a reachable add endpoint that builders can use with MultipartFile.transfer() with out correct filename sanitization. The vulnerability’s default configuration permits file overwrites, amplifying the risk.

If attackers can overwrite software code, startup scripts, or configuration information, distant code execution turns into doable relying on filesystem permissions and deployment configuration.​

Safety researcher Wodzen found and reported this vulnerability on GitHub, which impacts @adonisjs/bodyparser variations as much as 10.1.1 and prerelease variations 11.0.0-next.5 and earlier.​

AdonisJS has launched safety patches for variations 6 and seven. Builders ought to instantly improve to @adonisjs/bodyparser model 10.1.2 or 11.0.0-next.6.

Organizations utilizing affected variations ought to audit their add endpoints and implement specific filename sanitization as an extra safety layer.

Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , , ,

Related Posts

Threat Actors Weaponizing Facebook and Google Ads as Financial Platforms to Steal Sensitive Data Cyber Security News
Sidewinder APT Hackers Leverage Nepal Protests to Push Mobile and Windows Malware Cyber Security News
ScreenConnect Abused by Threat Actors to Gain Unauthorized Remote Access to Your Computer Cyber Security News
ToolShell Exploit Chain Attacking SharePoint Servers to Gain Complete Control Cyber Security News
North Korean Hackers Weaponized 67 Malicious npm Packages to Deliver XORIndex Malware Cyber Security News
New EndClient RAT Attacking Users by Leveraging Stolen Code-Signing to Bypass AV Detections Cyber Security News