Source: node-multiparty Version: 4.2.3-5 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for node-multiparty. CVE-2026-8159[0]: | [email protected] and lower versions are vulnerable to denial of | service via regular expression backtracking in the Content- | Disposition filename parameter parser. A crafted multipart upload | with a long header value can cause regex matching to take seconds, | blocking the event loop. Impact: any service accepting multipart | uploads via multiparty is affected. Workarounds: limiting upload | sizes at the proxy or gateway layer reduces but does not eliminate | the attack surface, since a small header of around 8 KB is | sufficient to trigger the vulnerable backtracking. Upgrade to | [email protected] or higher. CVE-2026-8161[1]: | [email protected] and lower versions are vulnerable to denial of | service via uncaught exception. By sending a multipart/form-data | request with a field name that collides with an inherited | Object.prototype property such as __proto__, constructor, or | toString, the parser invokes .push() on the inherited prototype | value rather than an array, throwing a TypeError that propagates as | an uncaught exception and crashes the process. Impact: any service | accepting multipart uploads via multiparty is affected. Workarounds: | none. Upgrade to [email protected] or higher. CVE-2026-8162[2]: | [email protected] and lower versions are vulnerable to denial of | service via uncaught exception. By sending a multipart/form-data | request with a Content-Disposition header whose filename* parameter | contains a malformed percent-encoding, the parser invokes decodeURI | on the value without try/catch. The resulting URIError propagates as | an uncaught exception and crashes the process. Impact: any service | accepting multipart uploads via multiparty is affected. Workarounds: | none. Upgrade to [email protected] or higher. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-8159 https://www.cve.org/CVERecord?id=CVE-2026-8159 [1] https://security-tracker.debian.org/tracker/CVE-2026-8161 https://www.cve.org/CVERecord?id=CVE-2026-8161 [2] https://security-tracker.debian.org/tracker/CVE-2026-8162 https://www.cve.org/CVERecord?id=CVE-2026-8162 Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
