Critical AdonisJS Vulnerability Allow Remote Attacker to Write Files On Server

Critical AdonisJS Vulnerability Allow Remote Attacker to Write Files On Server

Posted on By CWS

A essential path traversal vulnerability in AdonisJS has been found that would enable distant attackers to jot down arbitrary information to server filesystems, doubtlessly main to finish system compromise.

The vulnerability, tracked as CVE-2026-21440, impacts the bodyparser module of the favored TypeScript-first net framework and carries a essential CVSS v4 severity score.​

The safety flaw resides in AdonisJS’s multipart file-handling mechanism within the @adonisjs/bodyparser bundle.

When processing multipart/form-data uploads, the framework’s MultipartFile.transfer() technique makes use of unsafe default choices that fail to sanitize client-supplied filenames correctly.

AttributeDetailsCVE IDCVE-2026-21440​SeverityCritical (CVSS v4: AV:N/AC:L/AT:P/PR:N/UI:N)​Affected Variations≤ 10.1.1, ≤ 11.0.0-next.5​Weak point TypeCWE-22 (Path Traversal)​

Attackers can exploit this weak point by submitting specifically crafted filenames containing path traversal sequences (corresponding to “../”) to flee supposed add directories and write information to arbitrary places on the server.​

Exploitation requires a reachable add endpoint that builders can use with MultipartFile.transfer() with out correct filename sanitization. The vulnerability’s default configuration permits file overwrites, amplifying the risk.

If attackers can overwrite software code, startup scripts, or configuration information, distant code execution turns into doable relying on filesystem permissions and deployment configuration.​

Safety researcher Wodzen found and reported this vulnerability on GitHub, which impacts @adonisjs/bodyparser variations as much as 10.1.1 and prerelease variations 11.0.0-next.5 and earlier.​

AdonisJS has launched safety patches for variations 6 and seven. Builders ought to instantly improve to @adonisjs/bodyparser model 10.1.2 or 11.0.0-next.6.

Organizations utilizing affected variations ought to audit their add endpoints and implement specific filename sanitization as an extra safety layer.

Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , , ,

Related Posts

Authorities Arrested 17 Criminal Bankers, EUR 4.5 Million Seized Authorities Arrested 17 Criminal Bankers, EUR 4.5 Million Seized Cyber Security News
ShinyHunters Possibly Collaborates With Scattered Spider in Salesforce Attack Campaigns ShinyHunters Possibly Collaborates With Scattered Spider in Salesforce Attack Campaigns Cyber Security News
Google Chrome RCE Vulnerability Details Released Along with Exploit Code Google Chrome RCE Vulnerability Details Released Along with Exploit Code Cyber Security News
Apache Struts Vulnerability Let Attackers Trigger Disk Exhaustion Attacks Apache Struts Vulnerability Let Attackers Trigger Disk Exhaustion Attacks Cyber Security News
Cisco Desk, IP, and Video Phone Vulnerabilities Let Remote Attackers Trigger DoS And XSS Attacks Cisco Desk, IP, and Video Phone Vulnerabilities Let Remote Attackers Trigger DoS And XSS Attacks Cyber Security News
Hackers Exploiting telnetd Vulnerability for Root Access Hackers Exploiting telnetd Vulnerability for Root Access Cyber Security News