Users of the ‘@adonisjs/bodyparser’ npm package are advised to update to the latest version following disclosure of a critical security vulnerability that, if successfully exploited, could allow a remote attacker to write arbitrary files on the server.
This flaw is tracked as CVE-2026-21440 (CVSS score: 9.2) and is described as a path traversal issue affecting the AdonisJS multipart file handling mechanism. ‘@adonisjs/bodyparser’ is an npm package associated with AdonisJS, a Node.js framework for developing web apps and API servers using TypeScript. This library is used to process AdonisJS HTTP request bodies.
“If a developer uses MultipartFile.move() without specifying the second optional argument or explicitly sanitizing the filename, an attacker could provide a crafted filename value containing a traversal sequence and write to a destination path outside of the intended upload directory,” project administrators said in an advisory released last week. “This could lead to arbitrary files being written on the server.”
However, a successful exploit depends on a reachable upload endpoint. The crux of the problem lies in a function named “MultipartFile.move(location, options)” that allows you to move a file to a specified location. The “options” parameter holds two values: a file name and an override flag that indicates “true” or “false.”
This issue occurs when the name parameter is not passed as input, causing the application to use an unsanitized client file name by default, opening the door to path traversal. This allows an attacker to choose any destination and overwrite sensitive files if the overwrite flag is set to ‘true’.
“If an attacker can overwrite application code, startup scripts, or configuration files that are later executed/loaded, RCE [remote code execution] AdonisJS says, “RCE is not guaranteed and depends on file system permissions, deployment layout, and application/runtime behavior.”
This issue, discovered and reported by Hunter Wodzenski (@wodzen), affects the following versions:
<= 10.1.1 (fixed in 10.1.2) <= 11.0.0-next.5 (fixed in 11.0.0-next.6)
Defects in jsPDF npm library
This development coincides with the disclosure of another path traversal vulnerability in an npm package named jsPDF (CVE-2025-68428, CVSS score: 9.2). This vulnerability could be exploited to traverse unsanitized paths and obtain the contents of arbitrary files in the local file system of a running Node process.
This vulnerability was fixed in jsPDF version 4.0.0 released on January 3, 2026. As a workaround, we recommend using the –permission flag to restrict access to the file system. A researcher named Kwangwoon Kim is credited with reporting this bug.
Parallax, developer of the JavaScript PDF generation library, says, “The contents of the file are included intact in the generated PDF.” “Only the node.js build of the library is affected, i.e. the dist/jspdf.node.js and dist/jspdf.node.min.js files.”
Source link
