Source: node-form-data
Version: 4.0.5+~2.1.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-form-data.
CVE-2026-12143[0]:
| form-data is a library for creating readable multipart/form-data
| streams. In versions through 4.0.5, the `field` argument to
| `FormData#append` and the `filename` option are concatenated
| verbatim into the `Content-Disposition` header without escaping
| carriage return (CR), line feed (LF), or double-quote (")
| characters. An application that passes attacker-controlled data as a
| field name or filename (for example, an API gateway that turns JSON
| object keys into multipart field names) allows the attacker to
| terminate the header line and inject additional headers, or to
| smuggle entire additional multipart parts, into the request the
| application forwards to a backend. This can let the attacker add or
| override form fields (e.g. set `is_admin=true`) seen by the
| downstream parser. This is an instance of CWE-93 (CRLF injection).
| The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field
| names and filenames, matching the serialization browsers use per the
| WHATWG HTML multipart/form-data encoding algorithm. Exploitation
| requires the consuming application to use untrusted input as a field
| name or filename; applications that use only fixed/trusted field
| names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-12143
https://www.cve.org/CVERecord?id=CVE-2026-12143
[1]
https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
