CyberSecurity News

Critical AdonisJS Vulnerability Allows Remote File Write

A Critical AdonisJS Vulnerability has been identified within AdonisJS. This flaw could enable Remote File Write arbitrary files to server filesystems, potentially leading to a complete system...

Marcus Rodriguez
Marcus Rodriguez
January 6, 2026 2 Min Read
15 0

A Critical AdonisJS Vulnerability has been identified within AdonisJS. This flaw could enable Remote File Write arbitrary files to server filesystems, potentially leading to a complete system compromise.

The vulnerability, tracked as CVE-2026-21440, affects the bodyparser module of the popular TypeScript-first web framework and carries a critical CVSS v4 severity rating.​

The security flaw resides in AdonisJS’s multipart file-handling mechanism in the @adonisjs/bodyparser package.

When processing multipart/form-data uploads, the framework’s MultipartFile.move() method uses unsafe default options that fail to sanitize client-supplied filenames properly.

Attribute Details
CVE ID CVE-2026-21440​
Severity Critical (CVSS v4: AV:N/AC:L/AT:P/PR:N/UI:N)​
Affected Versions ≤ 10.1.1, ≤ 11.0.0-next.5​
Weakness Type CWE-22 (Path Traversal)​

Attackers can exploit this weakness by submitting specially crafted filenames containing path traversal sequences (such as “../”) to escape intended upload directories and write files to arbitrary locations on the server.​

Exploitation requires a reachable upload endpoint that developers can use with MultipartFile.move() without proper filename sanitization. The vulnerability’s default configuration allows file overwrites, amplifying the threat.

If attackers can overwrite application code, startup scripts, or configuration files, remote code execution becomes possible depending on filesystem permissions and deployment configuration.​

Security researcher Wodzen discovered and reported this vulnerability on GitHub, which affects @adonisjs/bodyparser versions up to 10.1.1 and prerelease versions 11.0.0-next.5 and earlier.​

AdonisJS has released security patches for versions 6 and 7. Developers should immediately upgrade to @adonisjs/bodyparser version 10.1.2 or 11.0.0-next.6.

Organizations using affected versions should audit their upload endpoints and implement explicit filename sanitization as an additional security layer.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts