CVE-2026-21440
Path Traversal in AdonisJS Bodyparser Allows Arbitrary File Write
Publication date: 2026-01-02
Last updated on: 2026-01-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adonisjs | bodyparser | to 11.0.0-next.6 (exc) |
| adonisjs | bodyparser | 10.1.2 |
| adonisjs | bodyparser | 11.0.0-next.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21440 is a critical Path Traversal vulnerability in the AdonisJS framework's multipart file handling, specifically in the @adonisjs/bodyparser package. The issue occurs when the MultipartFile.move(location, options) method uses the client-supplied filename without sanitization if no explicit filename is provided. This allows an attacker to craft filenames with path traversal sequences (like "../") to write files to arbitrary locations on the server filesystem, potentially overwriting critical files. Exploitation requires an accessible upload endpoint and happens when developers do not specify or sanitize filenames during file moves. The vulnerability can lead to severe impacts including remote code execution depending on system setup. [1]
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to write arbitrary files anywhere on the server filesystem by exploiting path traversal in file uploads. This can lead to overwriting important files such as application code, startup scripts, or configuration files. As a result, it may enable remote code execution, compromise system confidentiality, integrity, and availability, and disrupt normal application operation. The impact depends on filesystem permissions and deployment environment but is considered critical. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your AdonisJS application is using a vulnerable version of the @adonisjs/bodyparser package (versions up to 10.1.1 or 11.x prerelease versions prior to 11.0.0-next.6) and if the MultipartFile.move() method is used without specifying a sanitized filename. You can check your package version with the command `npm list @adonisjs/bodyparser` or `yarn list @adonisjs/bodyparser`. Additionally, monitoring your server logs or upload endpoints for suspicious file upload attempts containing path traversal sequences like '../' in filenames may help detect exploitation attempts. There are no specific commands provided in the resources for direct detection of exploitation, but reviewing application code for unsafe usage of MultipartFile.move() and scanning for unexpected file writes outside upload directories can be effective. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the @adonisjs/bodyparser package to version 10.1.2 or later, or 11.0.0-next.6 or later, where the issue is patched. The fix involves changing the file move operation to use a securely generated random filename (UUID or random string) instead of the client-supplied filename, preventing path traversal attacks. Additionally, review your code to ensure that MultipartFile.move() is called with explicit, sanitized filenames if you rely on preserving original filenames. Applying these updates and code changes will close the security gap and prevent arbitrary file writes on the server. [2, 4, 5]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.