VulnerableCode Package Details - pkg:npm/multiparty@4.3.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-cj9d-mc6n-1qah	multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to multiparty@4.3.0 or higher.	CVE-2026-8159 GHSA-65x3-rw7q-gx94
VCID-jf2g-5mvm-cfds	multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.	CVE-2026-8162 GHSA-xh3c-6gcq-g4rv
VCID-ref5-c6r1-4bbw	multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.	CVE-2026-8161 GHSA-qxch-whhj-8956

Vulnerability

Summary

Aliases

VCID-cj9d-mc6n-1qah

multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to multiparty@4.3.0 or higher.

CVE-2026-8159
GHSA-65x3-rw7q-gx94

VCID-jf2g-5mvm-cfds

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

CVE-2026-8162
GHSA-xh3c-6gcq-g4rv

VCID-ref5-c6r1-4bbw

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

CVE-2026-8161
GHSA-qxch-whhj-8956

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T07:52:10.083280+00:00	GithubOSV Importer	Fixing	VCID-ref5-c6r1-4bbw	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-qxch-whhj-8956/GHSA-qxch-whhj-8956.json	38.6.0
2026-06-12T07:52:00.580315+00:00	GithubOSV Importer	Fixing	VCID-cj9d-mc6n-1qah	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-65x3-rw7q-gx94/GHSA-65x3-rw7q-gx94.json	38.6.0
2026-06-12T07:51:36.453814+00:00	GithubOSV Importer	Fixing	VCID-jf2g-5mvm-cfds	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-xh3c-6gcq-g4rv/GHSA-xh3c-6gcq-g4rv.json	38.6.0
2026-06-11T20:38:41.003179+00:00	GHSA Importer	Fixing	VCID-cj9d-mc6n-1qah	https://github.com/advisories/GHSA-65x3-rw7q-gx94	38.6.0
2026-06-11T20:38:40.981759+00:00	GHSA Importer	Fixing	VCID-jf2g-5mvm-cfds	https://github.com/advisories/GHSA-xh3c-6gcq-g4rv	38.6.0
2026-06-11T20:38:40.961393+00:00	GHSA Importer	Fixing	VCID-ref5-c6r1-4bbw	https://github.com/advisories/GHSA-qxch-whhj-8956	38.6.0