Users of the @adonisjs/bodyparser npm package were urged to update on January 6 2026 after disclosure of a critical path traversal flaw tracked as CVE-2026-21440 with a CVSS score of 9.2 that can allow remote attackers to write arbitrary files on affected servers
KEY FACTS
- Incident Path traversal in multipart file handling can permit arbitrary file writes
- CVE CVE-2026-21440 scored 9.2
- Affected Versions <= 10.1.1 and <= 11.0.0-next.5 fixed in 10.1.2 and 11.0.0-next.6
- Exploit requirements A reachable upload endpoint and use of MultipartFile.move without filename sanitization
A security advisory on GitHub from AdonisJS said the flaw stems from the multipart file handling code when MultipartFile.move(location, options) is called without the second options argument or without explicitly sanitizing the filename
The options parameter accepts a file name and an overwrite flag set to true or false. If the name is not provided the application can default to an unsanitized client filename that may contain traversal sequences allowing writes outside the intended upload directory
An attacker able to overwrite application code, startup scripts, or configuration files that are later executed or loaded could cause remote code execution depending on filesystem permissions and deployment layout. Successful exploitation requires a reachable upload endpoint and appropriate permissions
Users are advised to upgrade to the patched releases 10.1.2 or 11.0.0-next.6. A related disclosure notes a separate path traversal issue in jsPDF and is documented in a jsPDF advisory on GitHub with a fix in version 4.0.0 released January 3 2026 and a suggested workaround using the Node –permission flag to restrict filesystem access
WHY IT MATTERS
An arbitrary file write vulnerability can lead to data loss, service disruption, or execution of attacker supplied code if deployment and permissions allow. Administrators should apply the provided patches and verify upload handling and filename sanitization.