CVE-2026-21440
published 2026-01-02CVE-2026-21440: AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary…
PriorityP261critical9.2CVSS 4.0
AVNACLATPPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
1.06%
60.4th percentile
AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adonisjs | bodyparser | >= 0 < 10.1.2 | 10.1.2 |
| adonisjs | bodyparser | >= 11.0.0-next.0 < 11.0.0-next.6 | 11.0.0-next.6 |
| adonisjs | core | < 10.1.2 | 10.1.2 |
| adonisjs | core | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AdonisJS Path Traversal in Multipart File Handling
ghsa·2026-01-02
CVE-2026-21440 [CRITICAL] CWE-22 AdonisJS Path Traversal in Multipart File Handling
AdonisJS Path Traversal in Multipart File Handling
### Summary
**Description**
A Path Traversal (CWE-22) vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.
### Details
AdonisJS parses `multipart/form-data` via `BodyParser` and exposes uploads as `MultipartFile`. The issue is in the `MultipartFile.move(location, options)` default options. If `options.name` isn't provided, it defaults to the unsanitized client filename and builds the destination with `path.join(location, name)`, allowing a traver
OSV
AdonisJS Path Traversal in Multipart File Handling
osv·2026-01-02
CVE-2026-21440 [CRITICAL] AdonisJS Path Traversal in Multipart File Handling
AdonisJS Path Traversal in Multipart File Handling
### Summary
**Description**
A Path Traversal (CWE-22) vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.
### Details
AdonisJS parses `multipart/form-data` via `BodyParser` and exposes uploads as `MultipartFile`. The issue is in the `MultipartFile.move(location, options)` default options. If `options.name` isn't provided, it defaults to the unsanitized client filename and builds the destination with `path.join(location, name)`, allowing a traver
No detection rules found.
No public exploits indexed.
https://github.com/adonisjs/bodyparser/commit/143a16f35602be8561215611582211dec280cae6https://github.com/adonisjs/bodyparser/commit/6795c0e3fa824ae275bbd992aae60609e96f0f03https://github.com/adonisjs/bodyparser/releases/tag/v10.1.2https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.6https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h
2026-01-02
Published