#adonisjs

A newly disclosed AdonisJS flaw allows remote attackers to plant or overwrite files on servers, opening a path to deeper compromise through unsafe handling of uploaded filenames.

Source: The Hacker News | AdonisJS

The top three highlights on my cybersec news feed all start the same way today. A critical vulnerability allowing for bypasses which could lead to remote code execution of arbitrary commands. All three have a CVSS score over 9. Two of them are CVE’s discovered last year – as denoted by their listings beginning with 2025 – and one is brand new.

The first, as reported by The Hacker News and AdonisJS, is a path traversal issue affecting the AdonisJS multipart file handling mechanism in versions 10.1.1 (fixed in 10.1.2) and 11.0.0-next.5 (fixed in 11.0.0-next.6). The npm package is a Node.js framework for developing web apps and API servers with TypeScript, used for processing HTTP requests. The vulnerability allows for the possibility of overwriting commands that move files, which in turn could allow access to functions outside the intended upload directory. This coincides with another, related vulnerability in an npm package (CVE-2025-68428) that could be exploited to pass unsanitized paths and retrieve the contents of arbitrary files in the local file system while the node is running. Both have workarounds that mostly involve restricting permission to access these paths, and/or update to the latest version.

The next is in n8n, an open source automation platform, that could enable an authenticated attacker to execute arbitrary system commands on the underlying host, also reported by The Hacker News and n8n itself. Codenamed N8scape, it affects versions 1.0.0 up to, but not including, 2.0.0, where it had been fixed. This is a ‘sandbox’ vulnerability, giving permission to an authenticated user to create or modify workflows on the host machine. The feature was introduced optionally in n8n for version 1.111.0 to improve security isolation and is now set as the default in version 2.0.0. In essence, it provides an external sidebar container for tasks. As workarounds for previous versions, n8n is recommending that users set the environment for working with it to exclude certain node parameters or disable Python support in the code node.

The final vulnerability comes from IBM API Connect, a platform for managing application programming interfaces across enterprise environments, which allows remote attackers to gain unauthorized access without valid credentials. Reported by Singapore based cybersecurity agency Cyble, the flaw stems from an authentication bypass weakness independent of the underlying authentication algorithm. It affects versions10.0.8.0 through 10.0.8.5, and 10.0.11.0. While the National Vulnerability Database has not encountered exploitation of the flaw in the wild, IBM confirmed through internal testing that it exists and recommends users to upgrade to the current version, which does not carry the vulnerability, or apply the patches released for earlier versions.

So why are we having all the vulnerabilities? In a word: automation. The push to make everything more ‘efficient’ through agentic processes means less oversight when writing the codes for programs. Gaps in parameters are becoming increasingly more prevalent these days. I don’t know how many vulnerabilities I’ve covered lately where a single flaw ended up creating a mess. I’ve said it before, and I’ll no doubt say it again, we need to have more quality control. Automation sounds great on paper, but will never replace human judgment when it comes to uncovering overlooked variables.