VulnerableCode Package Details - pkg:deb/debian/node-multiparty@4.2.3-2

Search for packages

Vulnerability	Summary	Fixed by
VCID-cj9d-mc6n-1qah Aliases: CVE-2026-8159 GHSA-65x3-rw7q-gx94	multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to multiparty@4.3.0 or higher.	4.3.0+~4.2.1-1 Affected by 0 other vulnerabilities.
VCID-jf2g-5mvm-cfds Aliases: CVE-2026-8162 GHSA-xh3c-6gcq-g4rv	multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.	4.3.0+~4.2.1-1 Affected by 0 other vulnerabilities.
VCID-ref5-c6r1-4bbw Aliases: CVE-2026-8161 GHSA-qxch-whhj-8956	multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.	4.3.0+~4.2.1-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-cj9d-mc6n-1qah
Aliases:
CVE-2026-8159
GHSA-65x3-rw7q-gx94

multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to multiparty@4.3.0 or higher.

4.3.0+~4.2.1-1
Affected by 0 other vulnerabilities.

VCID-jf2g-5mvm-cfds
Aliases:
CVE-2026-8162
GHSA-xh3c-6gcq-g4rv

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

4.3.0+~4.2.1-1
Affected by 0 other vulnerabilities.

VCID-ref5-c6r1-4bbw
Aliases:
CVE-2026-8161
GHSA-qxch-whhj-8956

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

4.3.0+~4.2.1-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T02:20:32.298482+00:00	Debian Importer	Affected by	VCID-ref5-c6r1-4bbw	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-13T01:16:58.524448+00:00	Debian Importer	Affected by	VCID-cj9d-mc6n-1qah	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-06-13T00:55:01.995539+00:00	Debian Importer	Affected by	VCID-jf2g-5mvm-cfds	https://security-tracker.debian.org/tracker/data/json	38.6.0