Customers of the “@adonisjs/bodyparser” npm package deal are being suggested to replace to the newest model following the disclosure of a important security vulnerability that, if efficiently exploited, might enable a distant attacker to write down arbitrary recordsdata on the server.
Tracked as CVE-2026-21440 (CVSS rating: 9.2), the flaw has been described as a path traversal problem affecting the AdonisJS multipart file dealing with mechanism. “@adonisjs/bodyparser” is an npm package deal related to AdonisJS, a Node.js framework for growing net apps and API servers with TypeScript. The library is used to course of AdonisJS HTTP request physique.
“If a developer makes use of MultipartFile.transfer() with out the second choices argument or with out explicitly sanitizing the filename, an attacker can provide a crafted filename worth containing traversal sequences, writing to a vacation spot path exterior the supposed add listing,” the undertaking maintainers stated in an advisory launched final week. “This could result in arbitrary file write on the server.”
Nonetheless, profitable exploitation hinges on a reachable add endpoint. The issue, at its core, resides in a perform named “MultipartFile.transfer(location, choices)” that enables a file to be moved to the required location. The “choices” parameter holds two values: the title of a file and an overwrite flag indicating “true” or “false.”
The problem arises when the title parameter will not be handed as enter, inflicting the appliance to default to an unsanitized shopper filename that opens the door to path traversal. This, in flip, permits an attacker to decide on an arbitrary vacation spot of their liking and overwrite delicate recordsdata, if the overwrite flag is about to “true.”
“If the attacker can overwrite utility code, startup scripts, or configuration recordsdata which can be later executed/loaded, RCE [remote code execution] is feasible,” AdonisJS stated. “RCE will not be assured and will depend on filesystem permissions, deployment structure, and utility/runtime conduct.”
The problem, found and reported by Hunter Wodzenski (@wodzen) impacts the next variations –
- <= 10.1.1 (Mounted in 10.1.2)
- <= 11.0.0-next.5 (Mounted in 11.0.0-next.6)
Flaw in jsPDF npm Library
The event coincides with the disclosure of one other path traversal vulnerability in an npm package deal named jsPDF (CVE-2025-68428, CVSS rating: 9.2) that could possibly be exploited to go unsanitized paths and retrieve the contents of arbitrary recordsdata within the native file system the node course of is working.
The vulnerability has been patched in jsPDF model 4.0.0 launched on January 3, 2026. As workarounds, it is suggested to make use of the –permission flag to limit entry to the file system. A researcher named Kwangwoon Kim has been acknowledged for reporting the bug.
“The file contents are included verbatim within the generated PDFs,” Parallax, the builders of the JavaScript PDF era library, stated. “Solely the node.js builds of the library are affected, specifically the dist/jspdf.node.js and dist/jspdf.node.min.js recordsdata.”
