A critical security vulnerability has been identified in the β@adonisjs/bodyparserβ npm package, potentially allowing remote attackers to write arbitrary files on affected servers. Developers are urged to update to the latest version to mitigate this path traversal risk. #CVE-2026-21440 #AdonisJS
Keypoints
- The vulnerability affects the β@adonisjs/bodyparserβ npm package used with the AdonisJS framework.
- Exploitation relies on improper handling of filenames in the MultipartFile.move() function.
- Attackers can overwrite sensitive files, including server configuration and startup scripts.
- Successful exploitation requires reachable upload endpoints and specific file naming conditions.
- Updating to the latest version is recommended to fix the security flaw and prevent potential RCE attacks.
Read More: https://thehackernews.com/2026/01/critical-adonisjs-bodyparser-flaw-cvss.html