Critical AdonisJS Vulnerability Allow Remote Attacker to Write Files On Server

Critical AdonisJS Vulnerability Allow Remote Attacker to Write Files On Server

Posted on By CWS

A essential path traversal vulnerability in AdonisJS has been found that would enable distant attackers to jot down arbitrary information to server filesystems, doubtlessly main to finish system compromise.

The vulnerability, tracked as CVE-2026-21440, impacts the bodyparser module of the favored TypeScript-first net framework and carries a essential CVSS v4 severity score.​

The safety flaw resides in AdonisJS’s multipart file-handling mechanism within the @adonisjs/bodyparser bundle.

When processing multipart/form-data uploads, the framework’s MultipartFile.transfer() technique makes use of unsafe default choices that fail to sanitize client-supplied filenames correctly.

AttributeDetailsCVE IDCVE-2026-21440​SeverityCritical (CVSS v4: AV:N/AC:L/AT:P/PR:N/UI:N)​Affected Variations≤ 10.1.1, ≤ 11.0.0-next.5​Weak point TypeCWE-22 (Path Traversal)​

Attackers can exploit this weak point by submitting specifically crafted filenames containing path traversal sequences (corresponding to “../”) to flee supposed add directories and write information to arbitrary places on the server.​

Exploitation requires a reachable add endpoint that builders can use with MultipartFile.transfer() with out correct filename sanitization. The vulnerability’s default configuration permits file overwrites, amplifying the risk.

If attackers can overwrite software code, startup scripts, or configuration information, distant code execution turns into doable relying on filesystem permissions and deployment configuration.​

Safety researcher Wodzen found and reported this vulnerability on GitHub, which impacts @adonisjs/bodyparser variations as much as 10.1.1 and prerelease variations 11.0.0-next.5 and earlier.​

AdonisJS has launched safety patches for variations 6 and seven. Builders ought to instantly improve to @adonisjs/bodyparser model 10.1.2 or 11.0.0-next.6.

Organizations utilizing affected variations ought to audit their add endpoints and implement specific filename sanitization as an extra safety layer.

Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , , ,

Related Posts

Critical Cisco Firewall Flaw Allows Remote Code Execution Critical Cisco Firewall Flaw Allows Remote Code Execution Cyber Security News
China-based Threat Actor Mustang Panda’s Tactics, Techniques, and Procedures Unveiled China-based Threat Actor Mustang Panda’s Tactics, Techniques, and Procedures Unveiled Cyber Security News
Cyber Attack via Prayer App Amid US-Israel Strikes on Iran Cyber Attack via Prayer App Amid US-Israel Strikes on Iran Cyber Security News
31.4 Tbps DDoS Attack Via Aisuru Botnet Breaks Internet With New World Record 31.4 Tbps DDoS Attack Via Aisuru Botnet Breaks Internet With New World Record Cyber Security News
Automatic BitLocker Encryption May Silently Lock Away Your Data Automatic BitLocker Encryption May Silently Lock Away Your Data Cyber Security News
Chinese National Jailed to 46 Months for Laundering Millions of Dollars Stolen from American Investors Chinese National Jailed to 46 Months for Laundering Millions of Dollars Stolen from American Investors Cyber Security News