CVE-2026-21440

AdonisJS Path Traversal: When 'Move' Actually Means 'Pwn'

Alon Barad

Software Engineer

Jan 2, 2026·5 min read·13 visits

PoC Available

Executive Summary (TL;DR)

The AdonisJS bodyparser trusted user-supplied filenames by default. An attacker could send a file with a name like `../../../../var/www/shell.php` to overwrite critical system files or deploy web shells. The fix enforces random filenames unless explicitly overridden.

A critical Path Traversal vulnerability in the AdonisJS framework allowed attackers to escape upload directories and write files anywhere on the server filesystem. By manipulating the filename in multipart requests, an attacker could turn a standard profile picture upload into Remote Code Execution.

Official Patches

AdonisJSCommit fixing the default filename generation

AdonisJSOfficial Security Advisory

Fix Analysis (1)

Technical Appendix

CVSS Score

8.8/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Systems

AdonisJS v6 applications (core < 6.19.2)AdonisJS v7 experimental applications (core < 7.0.0-next.18)Any Node.js app using @adonisjs/bodyparser directly (< 10.1.2)

Affected Versions Detail

Product	Affected Versions	Fixed Version
@adonisjs/core AdonisJS	< 6.19.2	6.19.2
@adonisjs/bodyparser AdonisJS	< 10.1.2	10.1.2

Attribute	Detail
CWE ID	CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
Attack Vector	Network (Remote)
CVSS (Est.)	8.8 (High)
Impact	Arbitrary File Write / RCE
Exploit Status	PoC Available
Component	@adonisjs/bodyparser

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application

Initial Access

T1505.003Server Software Component: Web Shell

Persistence

CWE-22

Path Traversal

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Known Exploits & Detection

TheoryTheoretical exploit chain confirmed by vendor patch analysis.

Vulnerability Timeline

Vulnerability identified and patch committed

2026-01-02

Public advisory (GHSA-gvq6-hvvp-h34h) released

2026-01-02

AdonisJS Core v6.19.2 released with fix

2026-01-02

CVE-2026-21440

8.8

AdonisJS Path Traversal: When 'Move' Actually Means 'Pwn'

Alon Barad

Software Engineer

Jan 2, 2026·5 min read·13 visits

PoC Available

Executive Summary (TL;DR)

Attack Flow Diagram

Official Patches

AdonisJSCommit fixing the default filename generation

AdonisJSOfficial Security Advisory

Fix Analysis (1)

Technical Appendix

CVSS Score

8.8/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Systems

AdonisJS v6 applications (core < 6.19.2)AdonisJS v7 experimental applications (core < 7.0.0-next.18)Any Node.js app using @adonisjs/bodyparser directly (< 10.1.2)

Affected Versions Detail

Product	Affected Versions	Fixed Version
@adonisjs/core AdonisJS	< 6.19.2	6.19.2
@adonisjs/bodyparser AdonisJS	< 10.1.2	10.1.2

Attribute	Detail
CWE ID	CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
Attack Vector	Network (Remote)
CVSS (Est.)	8.8 (High)
Impact	Arbitrary File Write / RCE
Exploit Status	PoC Available
Component	@adonisjs/bodyparser

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application

Initial Access

T1505.003Server Software Component: Web Shell

Persistence

CWE-22

Path Traversal

Known Exploits & Detection

TheoryTheoretical exploit chain confirmed by vendor patch analysis.

Vulnerability Timeline

Vulnerability identified and patch committed

2026-01-02

Public advisory (GHSA-gvq6-hvvp-h34h) released

2026-01-02

AdonisJS Core v6.19.2 released with fix

2026-01-02