top of page
perceptive_background_267k.jpg

Critical AdonisJS Bodyparser Flaw (CVSS 9.2) Enables Arbitrary File Write on Servers

Published:

6 January 2026 at 03:30:00

Alert date:

6 January 2026 at 08:02:21

Source:

thehackernews.com

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies

A critical security vulnerability (CVE-2026-21440) with CVSS score 9.2 has been disclosed in the '@adonisjs/bodyparser' npm package. The flaw is described as a path traversal issue affecting the AdonisJS multipart functionality. If successfully exploited, it could allow remote attackers to write arbitrary files on the server. Users are strongly advised to update to the latest version of the package to mitigate this high-severity security risk.

Technical details

Path traversal vulnerability in AdonisJS multipart file handling mechanism. When MultipartFile.move() is used without the second options argument or without explicitly sanitizing the filename, an attacker can supply a crafted filename containing traversal sequences to write files outside the intended upload directory. The vulnerability resides in the MultipartFile.move(location, options) function where if the name parameter is not passed, the application defaults to an unsanitized client filename. This allows path traversal attacks where attackers can choose arbitrary destinations and potentially overwrite sensitive files if overwrite flag is set to true. If application code, startup scripts, or configuration files can be overwritten, remote code execution becomes possible.

Mitigation steps:

Update @adonisjs/bodyparser to version 10.1.2 or 11.0.0-next.6 depending on your current version. For jsPDF users, update to version 4.0.0. As a workaround for jsPDF, use the --permission flag to restrict access to the file system. Ensure proper filename sanitization when using MultipartFile.move() and always pass the second options argument with sanitized filenames.

Affected products:

@adonisjs/bodyparser <= 10.1.1 (Fixed in 10.1.2)
@adonisjs/bodyparser <= 11.0.0-next.5 (Fixed in 11.0.0-next.6)
jsPDF (Fixed in version 4.0.0)

Related links:

https://www.npmjs.com/package/@adonisjs/bodyparser
https://docs.adonisjs.com/guides/basics/request
https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h
https://api.adonisjs.com/classes/_adonisjs_bodyparser.index.MultipartFile#move
https://github.com/wodzen
https://nvd.nist.gov/vuln/detail/CVE-2025-68428
https://nodejs.org/api/permissions.html
https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page