Users of the “@adonisjs/bodyparser” npm package are being advised to update to the latest version following the disclosure of a critical security vulnerability that, if successfully exploited, could allow a remote attacker to write arbitrary files on the server.
Tracked as CVE-2026-21440 (CVSS score: 9.2), the flaw has been described as a path traversal issue affecting the AdonisJS multipart file handling mechanism. “@adonisjs/bodyparser” is an npm package associated with AdonisJS, a Node.js framework for developing web apps and API servers with TypeScript. The library is used to process AdonisJS HTTP request body.
“If a developer uses MultipartFile.move() without the second options argument or without explicitly sanitizing the filename, an attacker can supply a crafted filename value containing traversal sequences, writing to a destination path outside the intended upload directory,” the project maintainers said in an advisory released last week. “This can lead to arbitrary file write on the server.”
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
However, successful exploitation hinges on a reachable upload endpoint. The problem, at its core, resides in a function named “MultipartFile.move(location, options)” that allows a file to be moved to the specified location. The “options” parameter holds two values: the name of a file and an overwrite flag indicating “true” or “false.”
The issue arises when the name parameter is not passed as input, causing the application to default to an unsanitized client filename that opens the door to path traversal. This, in turn, allows an attacker to choose an arbitrary destination of their liking and overwrite sensitive files, if the overwrite flag is set to “true.”
“If the attacker can overwrite application code, startup scripts, or configuration files that are later executed/loaded, RCE [remote code execution] is possible,” AdonisJS said. “RCE is not guaranteed and depends on filesystem permissions, deployment layout, and application/runtime behavior.”
The issue, discovered and reported by Hunter Wodzenski (@wodzen) impacts the following versions –
- <= 10.1.1 (Fixed in 10.1.2)
- <= 11.0.0-next.5 (Fixed in 11.0.0-next.6)
Flaw in jsPDF npm Library
The development coincides with the disclosure of another path traversal vulnerability in an npm package named jsPDF (CVE-2025-68428, CVSS score: 9.2) that could be exploited to pass unsanitized paths and retrieve the contents of arbitrary files in the local file system the node process is running.
The vulnerability has been patched in jsPDF version 4.0.0 released on January 3, 2026. As workarounds, it’s advised to use the –permission flag to restrict access to the file system. A researcher named Kwangwoon Kim has been acknowledged for reporting the bug.
“The file contents are included verbatim in the generated PDFs,” Parallax, the developers of the JavaScript PDF generation library, said. “Only the node.js builds of the library are affected, namely the dist/jspdf.node.js and dist/jspdf.node.min.js files.”
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Russia-Aligned Hackers Abuse Viber to Target Ukrainian Military and Government