A severe security flaw has been identified in the @adonisjs/bodyparser npm package, a core component of the AdonisJS TypeScript-first web framework. Tracked as CVE-2026-21440, the vulnerability stems from a path traversal issue in the multipart file handling mechanism. If exploited, an unauthenticated remote attacker could write arbitrary files to sensitive locations on the server’s filesystem. Read this Cybersecurity Threat Advisory now to secure your environment and limit impact.
What is the threat?
The flaw resides in the multipart file handling logic of AdonisJS’s body parser middleware, specifically in the MultipartFile.move(location, options) function used to save uploaded files. The options parameter allows custom filenames and an overwrite flag. When developers omit a sanitized filename, the bodyparser defaults to the client-supplied filename without validation. Combined with path traversal sequences, attackers can escape the intended upload directory and write files to arbitrary locations.
Why is it noteworthy?
The vulnerability is triggered when MultipartFile.move() is called without a second argument or without sanitizing the filename. In such cases, the library uses the original client-provided filename. Because this input is not validated, attackers can include traversal sequences such as ‘../../etc/passwd’ to move files outside the designated directory. If the overwrite flag is set—implicitly or explicitly—attackers can overwrite critical system files, configuration files, or application source code, paving the way for persistent compromise.
What is the exposure or risk?
CVE-2026-21440 is classified as critical due to its potential to completely undermine system integrity. Attackers could overwrite application scripts or configuration files, enabling malicious code execution during subsequent reloads or executions. They may also target authentication files to gain persistent administrative access. Overwriting database configurations or system files could result in permanent data loss or extended downtime. Given its high exploitability, this vulnerability poses a serious risk for production environments using AdonisJS with default bodyparser settings.
What are the recommendations?
Barracuda recommends the following actions to limit the impact of CVE-2026-21440:
- Update the @adonisjs/bodyparser package immediately:
- For v10 users: Upgrade to 10.1.2 or higher.
- For v11 (Prerelease) users: Upgrade to 11.0.0-next.6 or higher.
- Never rely on client-provided filenames. Always generate unique, sanitized names when calling .move().
- Run Node.js with minimal filesystem permissions to limit impact.
- Implement application-level checks to reject filenames containing traversal sequences.
- Deploy a Web Application Firewall (WAF) with rules to detect and block path traversal patterns in multipart form data.
- Use containerization with read-only filesystems for application code to prevent unauthorized file writes from persisting or affecting the host.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2026/01/critical-adonisjs-bodyparser-flaw-cvss.html
- https://radar.offseq.com/threat/cve-2026-21440-cwe-22-improper-limitation-of-a-pat-1ab6f0b6
- https://github.com/advisories/GHSA-gvq6-hvvp-h34h
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.