Users of the “@adonisjs/bodyparser” npm package are being advised to update to the latest version following the disclosure of a critical security vulnerability that, if successfully exploited, could allow a remote attacker to write arbitrary files on the server.
Tracked as CVE-2026-21440 (CVSS score: 9.2), the flaw has been described as a path traversal issue affecting the AdonisJS multipart file handling mechanism. “@adonisjs/bodyparser” is an npm package associated with AdonisJS, a Node.js framework for developing web apps and API servers with TypeScript. The library is used to process AdonisJS HTTP request body.
“If a developer uses MultipartFile.move() without the second options argument or without explicitly sanitizing the filename, an attacker can supply a crafted filename value containing traversal sequences, writing to a destination path outside the intended upload directory,” the project maintainers said in an advisory released last week. “This can lead to arbitrary file write on the server.”
However, successful exploitation hinges on a reachable upload endpoint. The problem, at its core, resides in a function named “MultipartFile.move(location, options)” that allows a file to be moved to the specified location. The “options” parameter holds two values: the name of a file and an overwrite flag indicating “true” or “false.”
The issue arises when the name parameter is not passed as input, causing the application to default to an unsanitized client filename that opens the door to path traversal. This, in turn, allows an attacker to choose an arbitrary destination of their liking and overwrite sensitive files, if the overwrite flag is set to “true.”
“If the attacker can overwrite application code, startup scripts, or configuration files that are later executed/loaded, RCE [remote code execution] is possible,” AdonisJS said. “RCE is not guaranteed and depends on filesystem permissions, deployment layout, and application/runtime behavior.”
The issue, discovered and reported by Hunter Wodzenski (@wodzen) impacts the following versions –
- <= 10.1.1 (Fixed in 10.1.2)
- <= 11.0.0-next.5 (Fixed in 11.0.0-next.6)
Flaw in jsPDF npm Library
The development coincides with the disclosure of another path traversal vulnerability in an npm package named jsPDF (CVE-2025-68428, CVSS score: 9.2) that could be exploited to pass unsanitized paths and retrieve the contents of arbitrary files in the local file system the node process is running.
The vulnerability has been patched in jsPDF version 4.0.0 released on January 3, 2026. As workarounds, it’s advised to use the –permission flag to restrict access to the file system. A researcher named Kwangwoon Kim has been acknowledged for reporting the bug.
“The file contents are included verbatim in the generated PDFs,” Parallax, the developers of the JavaScript PDF generation library, said. “Only the node.js builds of the library are affected, namely the dist/jspdf.node.js and dist/jspdf.node.min.js files.”
In a separate analysis, Endor Labs said successful exploitation results in unauthorized disclosure of sensitive data, such as configuration files, environment variables, and credentials, that are accessible to the Node.js process.
The problem originates in the “loadFile()” method within the npm module. In the event a user-controlled input is passed as a file path argument, the library reads the specified file from disk and incorporates its contents verbatim into the generated PDF output. It affects public-facing methods like addImage, html, and addFont, each of which internally invoke “loadFile().”
“There are numerous conditions under which this vulnerability is not exploitable,” it said. The central question is whether an attacker or user can control the first argument passed to the affected methods (loadFile, addImage, html, addFont). If file paths are hard-coded or derived from trusted sources, the risk is significantly reduced.”
