Framework: AdonisJS
Affected Package: @adonisjs/bodyparser
CVE ID: CVE-2026-21440
Vulnerability Class: Path Traversal leading to Arbitrary File Write
CWE: CWE-22 – Improper Limitation of a Pathname to a Restricted Directory
Executive Summary
CVE-2026-21440 is a high-risk security vulnerability affecting the multipart file upload handling in AdonisJS. Due to insufficient validation of user-supplied filenames, an unauthenticated remote attacker can exploit directory traversal sequences to write files to unintended locations on the server filesystem.
This vulnerability does not require authentication or user interaction and can be exploited remotely. In real-world scenarios, this flaw can be chained into full server compromise, including remote code execution, persistence, data tampering, or denial of service.
Risk and Scoring Details
| Category | Value |
|---|---|
| CVSS v3.1 Score | 8.8 |
| Severity | High |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | Low |
| Integrity Impact | High |
| Availability Impact | High |
The high score is driven by how easily the issue can be exploited and the severity of the impact once exploitation is successful.
Affected and Fixed Versions
Affected versions
@adonisjs/bodyparserversions up to and including 10.1.1- All 11.x prerelease versions prior to 11.0.0-next.6
Fixed versions
@adonisjs/bodyparser10.1.2@adonisjs/bodyparser11.0.0-next.6
Technical Root Cause
The vulnerability originates from improper handling of the filename attribute within multipart/form-data requests. When processing file uploads, the framework allows user-controlled filenames to be combined with server-side upload paths without adequate normalization or sanitization.
As a result, directory traversal characters such as ../ or encoded equivalents are not consistently rejected or resolved safely. This allows attackers to escape the intended upload directory and target arbitrary filesystem locations.
Exploitation Details
How an Attacker Can Exploit This
- The attacker identifies an endpoint that accepts multipart file uploads.
- A specially crafted HTTP request is sent with a manipulated
filenamefield. - The filename contains directory traversal sequences or absolute paths.
- The server processes the request and writes the file using the supplied path.
- The file is written outside the intended upload directory.
Why Exploitation Is Practical
- File uploads are commonly exposed in web applications.
- No authentication or permissions are required.
- Payload construction is trivial.
- No race conditions or timing dependencies are involved.
Example Attack Payloads
These payloads demonstrate filenames that could trigger traversal behavior if not properly sanitized:
filename=../../../../tmp/malicious.js
filename=../config/database.ts
filename=..%2f..%2f..%2fapp/start/kernel.ts
filename=/var/www/app/server.js
filename=C:\ProgramData\startup.jsIf the Node.js process has write permissions, these filenames may lead to successful file placement.
Potential Impact Scenarios
- Overwriting application source files
- Injecting malicious startup scripts
- Dropping web shells or backdoors
- Modifying configuration files
- Crashing the application by corrupting dependencies
- Establishing persistence on the server
In environments where uploads are processed automatically or executed later, this vulnerability can directly lead to remote code execution.
Detection and Monitoring Guidance
Indicators of Compromise
- Upload requests containing traversal patterns in filenames
- Files appearing outside expected upload directories
- Modified application files shortly after upload requests
- Unexpected service restarts or crashes
- Changes in configuration without administrative action
Detection Rules and Patterns
Recommended Pattern Matching
Monitor for these patterns in upload metadata and logs:
../
..\
%2e%2e%2f
%2e%2e%5c
:/ Any filename containing path separators or traversal indicators should be treated as suspicious.
Recommended Log Sources
To effectively detect exploitation attempts, the following log sources should be enabled and monitored:
- Application logs capturing multipart upload metadata
- Reverse proxy or web server access logs
- File integrity monitoring on application directories
- Host-level audit logs for file write operations
- Endpoint detection logs for Node.js process activity
MITRE ATT&CK Mapping
- T1190 – Exploit Public-Facing Application
Exploitation through exposed upload endpoints. - T1106 – Native API Abuse
Abuse of filesystem write operations through application logic. - T1059 – Command and Scripting Interpreter
Possible follow-on if malicious scripts are written and executed.
Mitigation and Remediation
Official Patch (Required)
Upgrade to a fixed version of the package immediately.
Official patch release:
https://github.com/adonisjs/bodyparser/releases/tag/v10.1.2
Additional Security Hardening
Even after applying the patch, the following controls are strongly recommended:
- Enforce server-side filename generation
- Reject filenames containing path separators
- Restrict uploads to non-executable directories
- Run the Node.js process with minimal filesystem permissions
- Apply WAF rules for traversal detection
- Enable continuous file integrity monitoring
Final Takeaway
CVE-2026-21440 is a critical example of how seemingly minor input validation issues can lead to severe system compromise. Because the vulnerability is easy to exploit and impacts a common feature, it should be prioritized for immediate remediation.
Organizations running AdonisJS applications with file upload functionality should assume exposure until patched and validated.
