AdonisJS Path Traversal: When 'Move' Actually Means 'Pwn'
Jan 2, 2026·5 min read·8 visits
Executive Summary (TL;DR)
The AdonisJS bodyparser trusted user-supplied filenames by default. An attacker could send a file with a name like `../../../../var/www/shell.php` to overwrite critical system files or deploy web shells. The fix enforces random filenames unless explicitly overridden.
A critical Path Traversal vulnerability in the AdonisJS framework allowed attackers to escape upload directories and write files anywhere on the server filesystem. By manipulating the filename in multipart requests, an attacker could turn a standard profile picture upload into Remote Code Execution.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
@adonisjs/core AdonisJS | < 6.19.2 | 6.19.2 |
@adonisjs/bodyparser AdonisJS | < 10.1.2 | 10.1.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) |
| Attack Vector | Network (Remote) |
| CVSS (Est.) | 8.8 (High) |
| Impact | Arbitrary File Write / RCE |
| Exploit Status | PoC Available |
| Component | @adonisjs/bodyparser |
MITRE ATT&CK Mapping
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.