A remote attacker may be able to write any file on the server due to a vulnerability in the AdonisJS package. The function "MultipartFile.move(location, options)" that permits a file to be moved to the designated location is where the issue lies. The file name and an overwrite flag that indicates "true" or "false" are stored in the "options" parameter.
Hunter Wodzenski (@wodzen) found and reported the problem, which affects versions 10.1.1, 11.0.0-next.5, and 12.0.-next.6. At the same time, another path traversal vulnerability in the npm package jsPDF (CVE-2025-68428, CVSS score: 9.2) was discovered. This vulnerability could be used to retrieve the contents of any file in the local file system where the node process is operating.
"Only the node.js builds of the library are affected," the JavaScript PDF generation library's developers, Parallax, stated. The vulnerability has been fixed in jsPDF version 4.0, which was made available on January 3, 2026. It is recommended to use the --permission flag as a workaround to limit file system access.
The bug was reported by a researcher by the name of Kwangwoon Kim. The dist/jspdf.node.js and dist/jspdfnode.min.js files are impacted.