CVE-2026-21440: New AdonisJS 9.2 Critical Flaw Allows Arbitrary File Writes and RCE

A critical security vulnerability has been discovered in AdonisJS, a popular full-stack Node.js web framework known for its focus on ergonomics and speed. The flaw, assigned a CVSS score of 9.2, resides in the framework’s file upload handling and could allow remote attackers to overwrite sensitive system files or potentially achieve Remote Code Execution (RCE).

The vulnerability, tracked as CVE-2026-21440, specifically affects the @adonisjs/bodyparser package, a core component used for parsing multipart form data.

The issue stems from a dangerous default behavior in how the framework handles file moves. When developers use the MultipartFile.move(location, options) function to save an uploaded file, the system relies on trust where it shouldn’t.

“If options.name isn’t provided, it defaults to the unsanitized client filename and builds the destination with path.join(location, name),” the advisory explains.

This oversight allows an attacker to supply a crafted filename containing traversal sequences (like ../../). Because the system joins this malicious name with the target directory, the file can “escape the default or intended directory chosen by the developer” and land anywhere on the server filesystem the process has access to.

Compounding the risk, the default settings are permissive: “If options.overwrite isn’t provided, it defaults to true, allowing file overwrites”.

The impact of this “Arbitrary File Write” vulnerability extends far beyond simple vandalism. If an attacker can overwrite specific files, they can effectively take over the server.

“If the attacker can overwrite application code, startup scripts, or configuration files that are later executed/loaded, RCE is possible,” the report warns.

While RCE is not guaranteed and depends on file permissions and deployment layouts, the potential for total system compromise is significant. The advisory also noted that previous versions of the documentation may have inadvertently contributed to the problem by demonstrating examples that led developers into this “vulnerable code path”.

The vulnerability impacts a wide range of installations using the bodyparser package:

• @adonisjs/bodyparser through version 10.1.1
• 11.x prerelease versions prior to 11.0.0-next.6.

The maintainers have released fixes for both major versions. Developers are urged to update their dependencies immediately to:

• Version 10.1.2
• Version 11.0.0-next.6.

Links to the official release notes and patches can be found on the project’s GitHub repository.

Related Posts:

• iOS 26 Password App Gains Major Upgrade: View Full History of Saved Credentials
• LockBit 5.0 Resurfaces Stronger: New Variant Blinds Defenders by Disabling Windows ETW for Stealth Encryption
• CVE-2025-64095: Critical CVSS 10.0 Flaw in DNN Platform Allows Unauthenticated Website Overwrite
• Docker Compose Path Traversal (CVE-2025-62725) Allows Arbitrary File Overwrite via OCI Artifacts
• CVE-2022-24697: Apache Kylin Command Injection Vulnerability