Critical path traversal flaw in AdonisJS enable server takeover
Take action: Update your AdonisJS dependencies immediately to prevent attackers from overwriting your application code or stealing local files. Always sanitize user-provided filenames and use the Node.js permission flag to limit file system access.
Learn More
AdonisJS maintainers have patched a path traversal flaw in the @adonisjs/bodyparser package. This library handles HTTP request bodies for the Node.js framework.
The bug is tracked as CVE-2026-21440 (CVSS score 9.2) and allows attackers to write files to any location on a server. This happens when developers use the MultipartFile.move() function without setting specific security options. If an attacker can reach an upload endpoint, they can exploit this flaw to compromise the host.
If a developer does not provide a new filename, the system uses the name sent by the user's browser. Attackers can send filenames with traversal sequences to jump out of the upload folder. Because the library also defaults to overwriting existing files, an attacker can replace system scripts or configuration files. This can lead to full server takeover if the overwritten files run later.
Attackers can overwrite or change application source code, startup scripts, and configuration files and access local system files and sensitive server data.
Users should update @adonisjs/bodyparser to version 10.1.2 or 11.0.0-next.6 immediately and always sanitize user-provided filenames before saving them to the disk to prevent directory traversal attacks.
