CVE-2026-21440
📋 TL;DR
A path traversal vulnerability in AdonisJS multipart file handling allows remote attackers to write arbitrary files to arbitrary locations on the server filesystem. This affects applications using @adonisjs/bodyparser for file uploads. The vulnerability impacts all users of affected versions who accept file uploads through AdonisJS.
💻 Affected Systems
- @adonisjs/bodyparser
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution via writing malicious files to critical locations, complete server compromise, data exfiltration, or service disruption.
Likely Case
Unauthorized file writes to web-accessible directories leading to web shell deployment, data manipulation, or privilege escalation.
If Mitigated
Limited impact if file uploads are disabled or strict validation is implemented, though the vulnerability still exists in the framework.
🎯 Exploit Status
Exploitation requires sending specially crafted multipart file upload requests with directory traversal sequences in filenames.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: @adonisjs/bodyparser 10.1.2 or 11.0.0-next.6
Vendor Advisory: https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h
Restart Required: Yes
Instructions:
1. Update package.json to use @adonisjs/bodyparser version 10.1.2 or 11.0.0-next.6. 2. Run 'npm update @adonisjs/bodyparser' or 'yarn upgrade @adonisjs/bodyparser'. 3. Restart the Node.js application.
🔧 Temporary Workarounds
Disable file uploads
allTemporarily disable multipart file upload functionality in AdonisJS configuration
Edit config/bodyparser.ts and set multipart: { processManually: false }
Implement custom file validation
allAdd server-side validation to reject filenames containing path traversal sequences
Implement middleware that checks uploaded filenames for '../' and other traversal patterns
🧯 If You Can't Patch
- Implement strict file upload validation middleware that sanitizes filenames
- Run application with least privilege user account to limit filesystem access
🔍 How to Verify
Check if Vulnerable:
Check package.json for @adonisjs/bodyparser version. If version is <=10.1.1 or between 11.0.0-next.0 and 11.0.0-next.5, the system is vulnerable.Check Version:
npm list @adonisjs/bodyparserVerify Fix Applied:
Verify package.json shows @adonisjs/bodyparser version 10.1.2 or 11.0.0-next.6, then test file uploads with traversal attempts.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with filenames containing '../' or similar traversal patterns
- File write operations to unexpected directories
Network Indicators:
- Multipart file upload requests with unusual filenames
- HTTP POST requests to file upload endpoints with encoded path sequences
SIEM Query:
source="web_logs" AND (filename="*../*" OR filename="*..\\*" OR path="*../*") AND method="POST"🔗 References
- https://github.com/adonisjs/bodyparser/commit/143a16f35602be8561215611582211dec280cae6
- https://github.com/adonisjs/bodyparser/commit/6795c0e3fa824ae275bbd992aae60609e96f0f03
- https://github.com/adonisjs/bodyparser/releases/tag/v10.1.2
- https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.6
- https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h
