## AdonisJS UploadedFile.store() Exposes Critical Security Gap: No Extension or MIME Validation
A critical security vulnerability has been identified in the AdonisJS framework's core file upload handler. The `UploadedFile.store()` method, responsible for saving user-uploaded files to disk, lacks fundamental validation checks, creating a direct path for attackers to upload and execute malicious code on a server. While the method sanitizes filenames to prevent directory traversal, it performs no validation of file extensions, MIME types, or size limits, leaving web applications built on the framework dangerously exposed.

The flaw resides in `packages/core/src/http/UploadedFile.ts`. The `store()` function accepts any file, allowing dangerous extensions like `.php`, `.exe`, `.sh`, `.bat`, and `.jsp` to be written directly to web-accessible directories. Furthermore, it does not verify that a file's MIME type matches its extension, enabling an attacker to disguise a PHP script with a `.jpg` extension and a malicious `application/x-php` content type. The absence of a configurable maximum file size check also opens the door to denial-of-service attacks via resource exhaustion.

This oversight represents a severe risk for any AdonisJS application that handles file uploads. Without the suggested fix—implementing configurable validation for allowed extensions, MIME types, and file size—developers are forced to implement their own security layer or risk their servers being compromised. The vulnerability is a textbook example of how incomplete sanitization can create a false sense of security, highlighting a significant gap in the framework's default security posture for a common web operation.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, web-framework, file-upload, AdonisJS
- **Credibility**: unverified
- **Published**: 2026-04-22 05:22:36
- **ID**: 75399
- **URL**: https://whisperx.ai/en/intel/75399