"If a developer uses MultipartFile.move() without the second options argument or without explicitly sanitizing the filename, an attacker can supply a crafted filename value containing traversal sequences, writing to a destination path outside the intended upload directory," the project maintainers said in an advisory released last week. "This can lead to arbitrary file write on the server. However, successful exploitation hinges on a reachable upload endpoint."
"The "options" parameter holds two values: the name of a file and an overwrite flag indicating "true" or "false." The issue arises when the name parameter is not passed as input, causing the application to default to an unsanitized client filename that opens the door to path traversal. This, in turn, allows an attacker to choose an arbitrary destination of their liking and overwrite sensitive files, if the overwrite flag is set to "true.""
A critical path traversal vulnerability in @adonisjs/bodyparser multipart handling can enable remote attackers to write arbitrary files when MultipartFile.move() is used without a provided name or filename sanitization. The options argument contains a filename and an overwrite flag; omitting the name causes the code to use an unsanitized client filename, allowing traversal sequences to escape the intended upload directory. Successful exploitation requires a reachable upload endpoint and can overwrite application code, startup scripts, or configuration files, which could lead to remote code execution if those files are later executed. Tracked as CVE-2026-21440 (CVSS 9.2).
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]