|
| 1 | +--- |
| 2 | +title: May 2026 Security Releases |
| 3 | +description: Security releases for multiparty have been published. We recommend that all users upgrade as soon as possible. |
| 4 | +tags: security vulnerabilities |
| 5 | +authors: |
| 6 | + - name: Ulises Gascon |
| 7 | + github: UlisesGascon |
| 8 | +--- |
| 9 | + |
| 10 | +The Express team has released [multiparty](https://www.npmjs.com/package/multiparty) 4.3.0, addressing three denial of service vulnerabilities in the multipart form parser. |
| 11 | + |
| 12 | +{% include admonitions/warning.html |
| 13 | +content="We recommend upgrading to the latest version of multiparty to secure your applications." |
| 14 | +%} |
| 15 | + |
| 16 | +The following vulnerabilities have been addressed: |
| 17 | + |
| 18 | +- [CVE-2026-8159 in multiparty utility module (High)](#cve-2026-8159-in-multiparty-utility-module-high) |
| 19 | +- [CVE-2026-8161 in multiparty utility module (High)](#cve-2026-8161-in-multiparty-utility-module-high) |
| 20 | +- [CVE-2026-8162 in multiparty utility module (High)](#cve-2026-8162-in-multiparty-utility-module-high) |
| 21 | + |
| 22 | +## CVE-2026-8159 in multiparty utility module (High) |
| 23 | + |
| 24 | +**[multiparty](https://www.npmjs.com/package/multiparty) versions `<= 4.2.3` are vulnerable to regular expression denial of service via filename parsing** |
| 25 | + |
| 26 | +A crafted multipart upload with a long header value can cause regex matching in the Content-Disposition filename parser to take seconds, blocking the Node.js event loop. Any service accepting multipart uploads via multiparty is affected. A small header of around 8 KB is sufficient to trigger the vulnerable backtracking. |
| 27 | + |
| 28 | +**Affected versions**: `<= 4.2.3` |
| 29 | +**Patched version**: `>= 4.3.0` |
| 30 | + |
| 31 | +For more details, see [GHSA-65x3-rw7q-gx94](https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94). |
| 32 | + |
| 33 | +## CVE-2026-8161 in multiparty utility module (High) |
| 34 | + |
| 35 | +**[multiparty](https://www.npmjs.com/package/multiparty) versions `<= 4.2.3` are vulnerable to denial of service via prototype pollution leading to an uncaught exception** |
| 36 | + |
| 37 | +A multipart upload with a field name that collides with an inherited Object.prototype property such as `__proto__`, `constructor`, or `toString` causes the parser to invoke `.push()` on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Any service accepting multipart uploads via multiparty is affected. |
| 38 | + |
| 39 | +**Affected versions**: `<= 4.2.3` |
| 40 | +**Patched version**: `>= 4.3.0` |
| 41 | + |
| 42 | +For more details, see [GHSA-qxch-whhj-8956](https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956). |
| 43 | + |
| 44 | +## CVE-2026-8162 in multiparty utility module (High) |
| 45 | + |
| 46 | +**[multiparty](https://www.npmjs.com/package/multiparty) versions `<= 4.2.3` are vulnerable to denial of service via an uncaught exception in filename* parameter parsing** |
| 47 | + |
| 48 | +A multipart upload with a Content-Disposition header whose `filename*` parameter contains a malformed percent-encoding causes the parser to invoke `decodeURI` on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Any service accepting multipart uploads via multiparty is affected. |
| 49 | + |
| 50 | +**Affected versions**: `<= 4.2.3` |
| 51 | +**Patched version**: `>= 4.3.0` |
| 52 | + |
| 53 | +For more details, see [GHSA-xh3c-6gcq-g4rv](https://github.com/pillarjs/multiparty/security/advisories/GHSA-xh3c-6gcq-g4rv). |
| 54 | + |
| 55 | +--- |
| 56 | + |
| 57 | +We recommend upgrading to the latest version of multiparty to secure your applications. |
0 commit comments