Users of the @adonisjs/bodyparser npm package are being urged to update immediately after the disclosure of a critical security vulnerability that could allow remote attackers to write arbitrary files on affected servers.
The issue is tracked as CVE-2026-21440 and carries a CVSS score of 9.2, indicating high severity. According to project maintainers, the flaw stems from a path traversal vulnerability within AdonisJS’s multipart file upload handling logic.
AdonisJS is a popular Node.js framework used for building web applications and API servers with TypeScript. The @adonisjs/bodyparser package is responsible for processing HTTP request bodies, including multipart file uploads.
In a security advisory released last week, maintainers explained that the vulnerability occurs when developers use the MultipartFile.move(location, options) method without providing the optional second argument or without explicitly sanitizing uploaded filenames. In such cases, attackers can supply a crafted filename containing directory traversal sequences, allowing files to be written outside the intended upload directory.
This behavior can result in arbitrary file write on the server, provided the upload endpoint is reachable from the network.
The root cause lies in the MultipartFile.move(location, options) function. The options parameter typically contains a filename and an overwrite flag. When the filename is not explicitly defined, the application defaults to using the client supplied filename without proper sanitization. If the overwrite option is set to true, attackers may overwrite sensitive system or application files.
AdonisJS maintainers noted that while remote code execution (RCE) is not guaranteed, it becomes possible if attackers are able to overwrite executable files, startup scripts, or configuration files that are later loaded by the application. The feasibility of such exploitation depends on file system permissions, deployment structure, and runtime behavior.
The vulnerability was responsibly disclosed by security researcher Hunter Wodzenski (@wodzen) and affects the following versions,
- Versions 10.1.1 and earlier, fixed in 10.1.2
- Versions 11.0.0-next.5 and earlier, fixed in 11.0.0-next.6
Developers using vulnerable versions are strongly advised to upgrade to the patched releases as soon as possible.
jsPDF npm Library Also Affected by Critical Path Traversal Bug
The disclosure comes alongside another serious security issue affecting the jsPDF npm package. Tracked as CVE-2025-68428 with a CVSS score of 9.2, this vulnerability allows attackers to supply unsanitized file paths and read arbitrary files from the local file system where the Node.js process is running.
The flaw has been fixed in jsPDF version 4.0.0, released on January 3, 2026. As a temporary mitigation, developers are advised to use the --permission flag to limit file system access.
Parallax, the maintainers of jsPDF, confirmed that only Node.js builds of the library are affected, specifically dist/jspdf.node.js and dist/jspdf.node.min.js. The vulnerability was reported by researcher Kwangwoon Kim, who has been credited for the discovery.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
