मुफ्त स्कैन करें
CRITICALCVE-2026-21440CVSS 9.5

एडोनिसजेएस में मल्टीपार्ट फ़ाइल हैंडलिंग में पाथ ट्रैवर्सल

प्लेटफ़ॉर्म

nodejs

घटक

@adonisjs/bodyparser

में ठीक किया गया

10.1.3

11.0.1

10.1.2

AI Confidence: highNVDEPSS 0.1%समीक्षित: मई 2026
NVD पर देखें
सहेजें
आपकी भाषा में अनुवाद हो रहा है…

CVE-2026-21440 describes a Path Traversal vulnerability within the @adonisjs/bodyparser library, a Node.js middleware for parsing request bodies. This flaw allows a remote attacker to write arbitrary files to the server's filesystem, potentially leading to complete system compromise. The vulnerability affects versions of @adonisjs/bodyparser up to 10.1.1 and prerelease versions of 11.x before 11.0.0-next.6. A patch has been released in version 10.1.2 and 11.0.0-next.6.

प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…

The core of the vulnerability lies in the MultipartFile.move(location, options) function within @adonisjs/bodyparser. The default options for this function are insufficiently restrictive, allowing an attacker to manipulate the location parameter to write files outside of the intended upload directory. This can be exploited by crafting malicious multipart/form-data requests that include a carefully crafted filename. Successful exploitation could allow an attacker to overwrite critical system files, execute arbitrary code, or gain persistent access to the server. The blast radius extends to any application utilizing @adonisjs/bodyparser for file uploads, potentially impacting sensitive data and system integrity.

शोषण संदर्भअनुवाद हो रहा है…

This vulnerability was publicly disclosed on January 2, 2026. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and ease of exploitation suggest a high likelihood of future attacks. There are currently no known public proof-of-concept exploits, but the vulnerability's nature makes it relatively straightforward to develop. The vulnerability is not currently listed on the CISA KEV catalog.

कौन जोखिम में हैअनुवाद हो रहा है…

Applications built with the AdonisJS framework that utilize @adonisjs/bodyparser for file uploads are at risk. This includes web applications, APIs, and any other services that process multipart/form-data requests. Specifically, applications using older versions of AdonisJS or those with custom file upload handling logic that doesn't adequately validate the upload location are particularly vulnerable.

पहचान के चरणअनुवाद हो रहा है…

• nodejs / server:

  npm list @adonisjs/bodyparser

• nodejs / server:

  npm audit @adonisjs/bodyparser

• nodejs / server:

  grep -r 'MultipartFile.move' /path/to/your/app/http/controllers

• generic web: Inspect application logs for unusual file creation events or errors related to file uploads, particularly those involving path traversal attempts.

हमले की समयरेखा

  1. Disclosure

    disclosure

  2. Patch

    patch

खतरा खुफिया

एक्सप्लॉइट स्थिति

प्रूफ ऑफ कॉन्सेप्टअज्ञात
CISA KEVNO

EPSS

0.11% (29% शतमक)

CISA SSVC

शोषणnone
स्वचालनीयno
तकनीकी प्रभावtotal

प्रभावित सॉफ्टवेयर

घटक@adonisjs/bodyparser
विक्रेताosv
प्रभावित श्रेणीमें ठीक किया गया
< 10.1.2 – < 10.1.210.1.3
>= 11.0.0-next.0, < 11.0.0-next.6 – >= 11.0.0-next.0, < 11.0.0-next.611.0.1
10.1.2

कमजोरी वर्गीकरण (CWE)

CWE-22

समयरेखा

  1. आरक्षित
  2. प्रकाशित
  3. संशोधित
  4. EPSS अद्यतन

शमन और वर्कअराउंडअनुवाद हो रहा है…

The primary mitigation for CVE-2026-21440 is to immediately upgrade to @adonisjs/bodyparser version 10.1.2 or 11.0.0-next.6 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious filenames or path traversal sequences in the location parameter. Additionally, restrict file upload permissions to the minimum necessary and implement strict input validation to prevent malicious filenames from being processed. Review and harden the application's file handling logic to ensure that uploaded files are stored in a secure location and are properly sanitized before use. After upgrading, confirm the fix by attempting to upload a file with a path traversal payload (e.g., ../../../../etc/passwd) and verifying that the upload fails with an appropriate error.

कैसे ठीक करें

@adonisjs/bodyparser पैकेज को संस्करण 10.1.2 या उच्चतर, या संस्करण 11.0.0-next.6 या उच्चतर में अपडेट करें। यह पाथ ट्रैवर्सल भेद्यता को ठीक कर देगा। पैकेज को अपडेट करने के लिए `npm update @adonisjs/bodyparser` या `yarn upgrade @adonisjs/bodyparser` चलाएँ।

CVE सुरक्षा न्यूज़लेटर

भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।

अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…

What is CVE-2026-21440 — Path Traversal in @adonisjs/bodyparser?

CVE-2026-21440 is a CRITICAL Path Traversal vulnerability in @adonisjs/bodyparser, allowing attackers to write arbitrary files to the server. It affects versions up to 10.1.1 and prereleases before 11.0.0-next.6.

Am I affected by CVE-2026-21440 in @adonisjs/bodyparser?

You are affected if your application uses @adonisjs/bodyparser versions up to 10.1.1 or prerelease versions of 11.x before 11.0.0-next.6.

How do I fix CVE-2026-21440 in @adonisjs/bodyparser?

Upgrade to @adonisjs/bodyparser version 10.1.2 or 11.0.0-next.6 or later. Consider WAF rules and input validation as temporary mitigations.

Is CVE-2026-21440 being actively exploited?

While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity suggests a high likelihood of future attacks.

Where can I find the official @adonisjs/bodyparser advisory for CVE-2026-21440?

Refer to the official AdonisJS security advisories and release notes for details: [https://github.com/adonisjs/body-parser/releases](https://github.com/adonisjs/body-parser/releases)

क्या आपका प्रोजेक्ट प्रभावित है?

अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।

मुफ्त स्कैन करेंCVE खोजें