Developers using the @adonisjs/bodyparser npm package are urged to update immediately following the discovery of a critical security vulnerability. This flaw, identified as CVE-2026-21440, could permit remote attackers to write arbitrary files to a server if successfully exploited, posing a significant risk to web applications and API servers built with the AdonisJS Node.js framework.
The vulnerability, which carries a severe CVSS score of 9.2, stems from a path traversal issue within the package’s multipart file handling mechanism. This function is responsible for processing the HTTP request body for AdonisJS applications. The critical nature of this security vulnerability lies in its potential to compromise server integrity and data security.
Critical Path Traversal Vulnerability in @adonisjs/bodyparser
AdonisJS maintainers detailed in a recent advisory that the vulnerability arises when the `MultipartFile.move()` function is utilized without its second options argument, or if the filename is not explicitly sanitized. In such scenarios, an attacker can craft a malicious filename incorporating traversal sequences. This allows them to bypass intended upload directory restrictions, enabling them to write files to any location on the server that the application has permissions to access.
The successful exploitation of this security vulnerability is contingent on the presence of a reachable upload endpoint within the affected application. The core of the problem lies within the `MultipartFile.move(location, options)` function. When the `options` parameter is not provided, the application defaults to using a client-supplied, unsanitized filename. This default behavior creates the opening for path traversal attacks.
According to the AdonisJS advisory, if an attacker can overwrite critical application files, such as startup scripts or configuration files, there is a potential for Remote Code Execution (RCE). However, the advisory also notes that RCE is not guaranteed and is dependent on several factors, including filesystem permissions, the application’s deployment structure, and the behavior of the application and its runtime environment. This highlights the layered defenses that are crucial in modern web security.
The vulnerability impacts versions of the `@adonisjs/bodyparser` package up to and including 10.1.1, and versions up to and including 11.0.0-next.5. The fixes are available in version 10.1.2 and 11.0.0-next.6, respectively. Developers are strongly encouraged to review their dependencies and update to the patched versions without delay to mitigate the risk of a potential security vulnerability exploit.
Related Vulnerability Discovered in jsPDF npm Package
This disclosure of the `@adonisjs/bodyparser` security vulnerability comes alongside the reporting of another significant path traversal flaw in the jsPDF npm package (CVE-2025-68428). This separate issue, also with a CVSS score of 9.2, allows attackers to submit unsanitized paths, potentially leading to the retrieval of sensitive file contents from the server’s local file system where the Node.js process is running.
The jsPDF vulnerability has been addressed in version 4.0.0, released on January 3, 2026. The developers of the library, Parallax, clarified that only the Node.js builds of the library are affected, specifically the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. While patching is the recommended solution, users can also employ the `–permission` flag to restrict file system access as a temporary workaround.
The discovery and patching of these vulnerabilities underscore the continuous need for vigilance in the Node.js ecosystem. Developers must stay informed about emerging threats and promptly apply updates to their dependencies. The active reporting and swift remediation of such issues by maintainers are vital in safeguarding the broader web development community from potential cyber attacks.
Moving forward, developers utilizing AdonisJS and jsPDF should prioritize updating their project dependencies to the latest secure versions. Continuous monitoring of security advisories and rigorous code auditing practices remain essential to maintain a robust security posture against evolving threats in the web application landscape.