Full Report
Users of the "@adonisjs/bodyparser" npm package are being advised to update to the latest version following the disclosure of a critical security vulnerability that, if successfully exploited, could allow a remote attacker to write arbitrary files on the server. Tracked as CVE-2026-21440 (CVSS score: 9.2), the flaw has been described as a path traversal issue affecting the AdonisJS multipart
Analysis Summary
# Vulnerability: Path Traversal Leading to Arbitrary File Write in AdonisJS Bodyparser
## CVE Details
- CVE ID: CVE-2026-21440
- CVSS Score: 9.2 (Critical)
- CWE: CWE-22 (Improper Limitation of a Pathname to a Restricted Portion of a Physical File System - Path Traversal)
## Affected Systems
- Products: `@adonisjs/bodyparser` npm package
- Versions: Versions up to and including `10.1.1` and versions up to and including `11.0.0-next.5`.
- Configurations: Applications using the `MultipartFile.move(location, options)` function without explicitly sanitizing the filename or without providing the second `options` argument. Successful exploitation requires a reachable upload endpoint.
## Vulnerability Description
The vulnerability is a path traversal flaw residing in the `MultipartFile.move(location, options)` function within the AdonisJS multipart file handling mechanism. When an attacker supplies a crafted filename containing path traversal sequences (e.g., `..` or similar) and the application defaults to using this unsanitized client-supplied filename (by omitting the `name` parameter in the options), the attacker can write files to destinations outside the intended upload directory. If the `overwrite` flag in the options is set to true, this allows for arbitrary file write capability on the server.
## Exploitation
- Status: Details on exploitation status (in the wild/PoC) are not explicitly stated, but due to the critical severity and path traversal nature, exploitability is considered high.
- Complexity: Medium (Requires successful exploitation of a specific file upload endpoint configuration).
- Attack Vector: Network
## Impact
- Confidentiality: High (Potential RCE possible if configuration/startup files are overwritten).
- Integrity: Critical (Arbitrary file write, potential for overwriting critical system or application files).
- Availability: High (Potential for application/system denial of service or compromise via RCE).
*Note: Remote Code Execution (RCE) is not guaranteed and depends on filesystem permissions, deployment layout, and application/runtime behavior.*
## Remediation
### Patches
- Update to `@adonisjs/bodyparser` version **10.1.2** or later.
- For the pre-release branch, update to version **11.0.0-next.6** or later.
### Workarounds
- Developers must explicitly sanitize any client-supplied filename before calling `MultipartFile.move()`.
- Ensure the second options argument is always provided when using `MultipartFile.move()` to explicitly control the destination filename.
- In Node.js environments, using the `--permission` flag to restrict file system access (as suggested for a related vulnerability) might offer defense-in-depth, although explicit code fixes are preferred.
## Detection
- Indicators of Compromise: Anomalous file writes occurring near application configuration, startup scripts, or binary directories.
- Detection methods and tools: Monitor HTTP requests targeting file upload endpoints for suspicious filename parameters containing directory traversal sequences (`../`, `..\`, etc.). Intrusion detection systems (IDS) should prioritize alerting on unusual file write events originating from web processes.
## References
- Vendor Advisory: [https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h](https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h) (Defanged: hXXps://github[dot]com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h)