プラットフォーム
nodejs
コンポーネント
@adonisjs/bodyparser
修正版
10.1.3
11.0.1
10.1.2
CVE-2026-21440 describes a Path Traversal vulnerability within the @adonisjs/bodyparser library, a Node.js middleware for parsing request bodies. This flaw allows a remote attacker to write arbitrary files to the server's filesystem, potentially leading to complete system compromise. The vulnerability affects versions of @adonisjs/bodyparser up to 10.1.1 and prerelease versions of 11.x before 11.0.0-next.6. A patch has been released in version 10.1.2 and 11.0.0-next.6.
The core of the vulnerability lies in the MultipartFile.move(location, options) function within @adonisjs/bodyparser. The default options for this function are insufficiently restrictive, allowing an attacker to manipulate the location parameter to write files outside of the intended upload directory. This can be exploited by crafting malicious multipart/form-data requests that include a carefully crafted filename. Successful exploitation could allow an attacker to overwrite critical system files, execute arbitrary code, or gain persistent access to the server. The blast radius extends to any application utilizing @adonisjs/bodyparser for file uploads, potentially impacting sensitive data and system integrity.
This vulnerability was publicly disclosed on January 2, 2026. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and ease of exploitation suggest a high likelihood of future attacks. There are currently no known public proof-of-concept exploits, but the vulnerability's nature makes it relatively straightforward to develop. The vulnerability is not currently listed on the CISA KEV catalog.
Applications built with the AdonisJS framework that utilize @adonisjs/bodyparser for file uploads are at risk. This includes web applications, APIs, and any other services that process multipart/form-data requests. Specifically, applications using older versions of AdonisJS or those with custom file upload handling logic that doesn't adequately validate the upload location are particularly vulnerable.
• nodejs / server:
npm list @adonisjs/bodyparser• nodejs / server:
npm audit @adonisjs/bodyparser• nodejs / server:
grep -r 'MultipartFile.move' /path/to/your/app/http/controllers• generic web: Inspect application logs for unusual file creation events or errors related to file uploads, particularly those involving path traversal attempts.
disclosure
patch
エクスプロイト状況
EPSS
0.11% (29% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2026-21440 is to immediately upgrade to @adonisjs/bodyparser version 10.1.2 or 11.0.0-next.6 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious filenames or path traversal sequences in the location parameter. Additionally, restrict file upload permissions to the minimum necessary and implement strict input validation to prevent malicious filenames from being processed. Review and harden the application's file handling logic to ensure that uploaded files are stored in a secure location and are properly sanitized before use. After upgrading, confirm the fix by attempting to upload a file with a path traversal payload (e.g., ../../../../etc/passwd) and verifying that the upload fails with an appropriate error.
パッケージ @adonisjs/bodyparser をバージョン 10.1.2 以降、またはバージョン 11.0.0-next.6 以降にアップデートしてください。これにより、パス・トラバーサル脆弱性が修正されます。`npm update @adonisjs/bodyparser` または `yarn upgrade @adonisjs/bodyparser` を実行してパッケージをアップデートしてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-21440 is a CRITICAL Path Traversal vulnerability in @adonisjs/bodyparser, allowing attackers to write arbitrary files to the server. It affects versions up to 10.1.1 and prereleases before 11.0.0-next.6.
You are affected if your application uses @adonisjs/bodyparser versions up to 10.1.1 or prerelease versions of 11.x before 11.0.0-next.6.
Upgrade to @adonisjs/bodyparser version 10.1.2 or 11.0.0-next.6 or later. Consider WAF rules and input validation as temporary mitigations.
While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity suggests a high likelihood of future attacks.
Refer to the official AdonisJS security advisories and release notes for details: [https://github.com/adonisjs/body-parser/releases](https://github.com/adonisjs/body-parser/releases)