CVE-2026-21440
Unknown Unknown - Not Provided
Path Traversal in AdonisJS Bodyparser Allows Arbitrary File Write

Publication date: 2026-01-02

Last updated on: 2026-01-02

Assigner: GitHub, Inc.

Description
AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-02
Last Modified
2026-01-02
Generated
2026-06-16
AI Q&A
2026-01-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21440
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
adonisjs bodyparser to 11.0.0-next.6 (exc)
adonisjs bodyparser 10.1.2
adonisjs bodyparser 11.0.0-next.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not contain information about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-21440 is a critical Path Traversal vulnerability in the AdonisJS framework's multipart file handling, specifically in the @adonisjs/bodyparser package. The issue occurs when the MultipartFile.move(location, options) method uses the client-supplied filename without sanitization if no explicit filename is provided. This allows an attacker to craft filenames with path traversal sequences (like "../") to write files to arbitrary locations on the server filesystem, potentially overwriting critical files. Exploitation requires an accessible upload endpoint and happens when developers do not specify or sanitize filenames during file moves. The vulnerability can lead to severe impacts including remote code execution depending on system setup. [1]

Impact Analysis

This vulnerability can allow a remote attacker to write arbitrary files anywhere on the server filesystem by exploiting path traversal in file uploads. This can lead to overwriting important files such as application code, startup scripts, or configuration files. As a result, it may enable remote code execution, compromise system confidentiality, integrity, and availability, and disrupt normal application operation. The impact depends on filesystem permissions and deployment environment but is considered critical. [1]

Detection Guidance

Detection of this vulnerability involves identifying if your AdonisJS application is using a vulnerable version of the @adonisjs/bodyparser package (versions up to 10.1.1 or 11.x prerelease versions prior to 11.0.0-next.6) and if the MultipartFile.move() method is used without specifying a sanitized filename. You can check your package version with the command `npm list @adonisjs/bodyparser` or `yarn list @adonisjs/bodyparser`. Additionally, monitoring your server logs or upload endpoints for suspicious file upload attempts containing path traversal sequences like '../' in filenames may help detect exploitation attempts. There are no specific commands provided in the resources for direct detection of exploitation, but reviewing application code for unsafe usage of MultipartFile.move() and scanning for unexpected file writes outside upload directories can be effective. [1]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade the @adonisjs/bodyparser package to version 10.1.2 or later, or 11.0.0-next.6 or later, where the issue is patched. The fix involves changing the file move operation to use a securely generated random filename (UUID or random string) instead of the client-supplied filename, preventing path traversal attacks. Additionally, review your code to ensure that MultipartFile.move() is called with explicit, sanitized filenames if you rely on preserving original filenames. Applying these updates and code changes will close the security gap and prevent arbitrary file writes on the server. [2, 4, 5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21440. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart