Multiparty Vulnerabilities Enable Denial Service

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the npm multiparty package. The affected software includes npm/multiparty versions 4.2.3 and lower. The vulnerabilities identified are denial of service via regular expression backtracking in the Content-Disposition filename parameter parser, denial of service via uncaught exception, and denial of service via prototype pollution leading to uncaught exception. These vulnerabilities pose a significant business risk as they can cause a service accepting multipart uploads via multiparty to become unavailable, resulting in downtime and potential financial losses. The impact of these vulnerabilities is high, with potential consequences including data loss, system crashes, and compromised business operations.[emaillocker id="1283"]

• CVE-2026-8159 with a CVSS score of 7.5 – This vulnerability is caused by a denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. It can be exploited by sending a crafted multipart upload with a long header value, causing regex matching to take seconds and blocking the event loop. The attacker capability is network access, and no user interaction is required. To exploit this vulnerability, a malicious actor must be able to send a multipart upload to the affected service.
• CVE-2026-8162 with a CVSS score of 7.5 – This vulnerability is caused by a denial of service via uncaught exception. It can be exploited by sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, causing the parser to invoke decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. The attacker capability is network access, and no user interaction is required. To exploit this vulnerability, a malicious actor must be able to send a multipart/form-data request to the affected service.
• CVE-2026-8161 with a CVSS score of 7.5 – This vulnerability is caused by a denial of service via prototype pollution leading to uncaught exception. It can be exploited by sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property, causing the parser to invoke .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. The attacker capability is network access, and no user interaction is required. To exploit this vulnerability, a malicious actor must be able to send a multipart/form-data request to the affected service.

These vulnerabilities pose a significant business risk, with potential consequences including data loss, system crashes, and compromised business operations. Exploitation of these vulnerabilities can result in downtime and potential financial losses, making it essential for organizations to address these issues promptly.

RECOMMENDATION:

• We recommend you to update npm/multiparty to version 4.3.0.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-65x3-rw7q-gx94
https://github.com/advisories/GHSA-xh3c-6gcq-g4rv
https://github.com/advisories/GHSA-qxch-whhj-8956