[From nobody Wed Jun 24 09:51:03 2026
Received: (at submit) by bugs.debian.org; 14 Jun 2026 05:52:04 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.9 required=4.0 tests=BAYES_00, FOURLA,
 FROMDEVELOPER, 
 NO_RELAYS,XMAILER_REPORTBUG autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 21; hammy, 150; neutral, 91; spammy,
 0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
 0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--HTo:N*Debian,
 0.000-+--H*Ad:N*Bug
Return-path: &lt;carnil@debian.org&gt;
Received: via submission by buxtehude.debian.org with esmtp (Exim 4.96)
 (envelope-from &lt;carnil@debian.org&gt;) id 1wYdlK-008dXr-2s
 for submit@bugs.debian.org; Sun, 14 Jun 2026 05:52:04 +0000
Content-Type: text/plain; charset=&quot;us-ascii&quot;
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Salvatore Bonaccorso &lt;carnil@debian.org&gt;
To: Debian Bug Tracking System &lt;submit@bugs.debian.org&gt;
Subject: node-form-data: CVE-2026-12143
Message-ID: &lt;178141632185.428694.14169129309351671321.reportbug@eldamar.lan&gt;
X-Mailer: reportbug 13.2.0
Date: Sun, 14 Jun 2026 07:52:01 +0200
Delivered-To: submit@bugs.debian.org

Source: node-form-data
Version: 4.0.5+~2.1.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team &lt;team@security.debian.org&gt;

Hi,

The following vulnerability was published for node-form-data.

CVE-2026-12143[0]:
| form-data is a library for creating readable multipart/form-data
| streams. In versions through 4.0.5, the `field` argument to
| `FormData#append` and the `filename` option are concatenated
| verbatim into the `Content-Disposition` header without escaping
| carriage return (CR), line feed (LF), or double-quote (&quot;)
| characters. An application that passes attacker-controlled data as a
| field name or filename (for example, an API gateway that turns JSON
| object keys into multipart field names) allows the attacker to
| terminate the header line and inject additional headers, or to
| smuggle entire additional multipart parts, into the request the
| application forwards to a backend. This can let the attacker add or
| override form fields (e.g. set `is_admin=true`) seen by the
| downstream parser. This is an instance of CWE-93 (CRLF injection).
| The fix escapes CR, LF, and `&quot;` as `%0D`, `%0A`, and `%22` in field
| names and filenames, matching the serialization browsers use per the
| WHATWG HTML multipart/form-data encoding algorithm. Exploitation
| requires the consuming application to use untrusted input as a field
| name or filename; applications that use only fixed/trusted field
| names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities &amp; Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-12143
    https://www.cve.org/CVERecord?id=CVE-2026-12143
[1] https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
]