[Pkg-javascript-devel] Bug#1136447: node-multiparty: CVE-2026-8159 CVE-2026-8161 CVE-2026-8162

Salvatore Bonaccorso carnil at debian.org
Wed May 13 21:44:56 BST 2026 

Source: node-multiparty
Version: 4.2.3-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerabilities were published for node-multiparty.

CVE-2026-8159[0]:
| multiparty at 4.2.3 and lower versions are vulnerable to denial of
| service via regular expression backtracking in the Content-
| Disposition filename parameter parser. A crafted multipart upload
| with a long header value can cause regex matching to take seconds,
| blocking the event loop. Impact: any service accepting multipart
| uploads via multiparty is affected. Workarounds: limiting upload
| sizes at the proxy or gateway layer reduces but does not eliminate
| the attack surface, since a small header of around 8 KB is
| sufficient to trigger the vulnerable backtracking. Upgrade to
| multiparty at 4.3.0 or higher.


CVE-2026-8161[1]:
| multiparty at 4.2.3 and lower versions are vulnerable to denial of
| service via uncaught exception. By sending a multipart/form-data
| request with a field name that collides with an inherited
| Object.prototype property such as __proto__, constructor, or
| toString, the parser invokes .push() on the inherited prototype
| value rather than an array, throwing a TypeError that propagates as
| an uncaught exception and crashes the process. Impact: any service
| accepting multipart uploads via multiparty is affected. Workarounds:
| none. Upgrade to multiparty at 4.3.0 or higher.


CVE-2026-8162[2]:
| multiparty at 4.2.3 and lower versions are vulnerable to denial of
| service via uncaught exception. By sending a multipart/form-data
| request with a Content-Disposition header whose filename* parameter
| contains a malformed percent-encoding, the parser invokes decodeURI
| on the value without try/catch. The resulting URIError propagates as
| an uncaught exception and crashes the process. Impact: any service
| accepting multipart uploads via multiparty is affected. Workarounds:
| none. Upgrade to multiparty at 4.3.0 or higher.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-8159
    https://www.cve.org/CVERecord?id=CVE-2026-8159
[1] https://security-tracker.debian.org/tracker/CVE-2026-8161
    https://www.cve.org/CVERecord?id=CVE-2026-8161
[2] https://security-tracker.debian.org/tracker/CVE-2026-8162
    https://www.cve.org/CVERecord?id=CVE-2026-8162

Regards,
Salvatore

More information about the Pkg-javascript-devel mailing list