Jan 06, 2026Ravie LakshmananVulnerability / Internet Safety
Customers of the “@adonisjs/bodyparser” npm bundle are being suggested to replace to the newest model following the disclosure of a important safety vulnerability that, if efficiently exploited, may enable a distant attacker to put in writing arbitrary recordsdata on the server.
Tracked as CVE-2026-21440 (CVSS rating: 9.2), the flaw has been described as a path traversal situation affecting the AdonisJS multipart file dealing with mechanism. “@adonisjs/bodyparser” is an npm bundle related to AdonisJS, a Node.js framework for creating internet apps and API servers with TypeScript. The library is used to course of AdonisJS HTTP request physique.
“If a developer makes use of MultipartFile.transfer() with out the second choices argument or with out explicitly sanitizing the filename, an attacker can provide a crafted filename worth containing traversal sequences, writing to a vacation spot path outdoors the supposed add listing,” the mission maintainers mentioned in an advisory launched final week. “This could result in arbitrary file write on the server.”
Nevertheless, profitable exploitation hinges on a reachable add endpoint. The issue, at its core, resides in a operate named “MultipartFile.transfer(location, choices)” that enables a file to be moved to the desired location. The “choices” parameter holds two values: the identify of a file and an overwrite flag indicating “true” or “false.”
The problem arises when the identify parameter shouldn’t be handed as enter, inflicting the appliance to default to an unsanitized consumer filename that opens the door to path traversal. This, in flip, permits an attacker to decide on an arbitrary vacation spot of their liking and overwrite delicate recordsdata, if the overwrite flag is ready to “true.”
“If the attacker can overwrite utility code, startup scripts, or configuration recordsdata which might be later executed/loaded, RCE [remote code execution] is feasible,” AdonisJS mentioned. “RCE shouldn’t be assured and is dependent upon filesystem permissions, deployment structure, and utility/runtime conduct.”
The problem, found and reported by Hunter Wodzenski (@wodzen) impacts the next variations –
<= 10.1.1 (Mounted in 10.1.2)
<= 11.0.0-next.5 (Mounted in 11.0.0-next.6)
Flaw in jsPDF npm Library
The event coincides with the disclosure of one other path traversal vulnerability in an npm bundle named jsPDF (CVE-2025-68428, CVSS rating: 9.2) that might be exploited to move unsanitized paths and retrieve the contents of arbitrary recordsdata within the native file system the node course of is working.
The vulnerability has been patched in jsPDF model 4.0.0 launched on January 3, 2026. As workarounds, it is suggested to make use of the –permission flag to limit entry to the file system. A researcher named Kwangwoon Kim has been acknowledged for reporting the bug.
“The file contents are included verbatim within the generated PDFs,” Parallax, the builders of the JavaScript PDF technology library, mentioned. “Solely the node.js builds of the library are affected, particularly the dist/jspdf.node.js and dist/jspdf.node.min.js recordsdata.”
