Critical AdonisJS Bodyparser Flaw (CVSS 9.2) Enables Arbitrary File Write on Servers

Node.js ecosystems increasingly rely on third‑party packages, making supply‑chain hygiene a top priority for developers. Path‑traversal vulnerabilities, like the one discovered in @adonisjs/bodyparser, exploit the assumption that client‑provided filenames are safe. When a server blindly moves uploaded files based on those names, attackers can escape designated directories, plant malicious scripts, or overwrite critical configuration files. This class of flaw underscores the need for defensive coding patterns—validating and normalizing all file paths before any filesystem operation.

The AdonisJS issue stems from the MultipartFile.move() method, which defaults to the original client filename if the optional "name" argument is omitted. Without explicit sanitization, a crafted filename containing "../" sequences can traverse the directory tree, granting write access to any location the process can reach. Mitigation requires developers to either always provide a sanitized destination name or employ a robust library that strips traversal characters. Updating to the patched releases (10.1.2 or 11.0.0‑next.6) eliminates the vulnerable code path, but teams should also audit existing upload endpoints for similar patterns across their codebase.

The concurrent jsPDF vulnerability illustrates how seemingly unrelated utilities can become attack vectors. By allowing arbitrary file paths in its loadFile() routine, the library can embed sensitive file contents directly into generated PDFs, exposing environment variables, keys, or internal scripts. Organizations that generate PDFs from user input should upgrade to version 4.0.0 and consider the "--permission" flag to restrict filesystem access. Beyond patching, a proactive approach—regular dependency scanning, automated CVE monitoring, and runtime file‑system constraints—helps mitigate the broader risk of supply‑chain exploits in modern JavaScript applications.