The Express team has released multiparty 4.3.0, addressing three denial of service vulnerabilities in the multipart form parser.
Warning
We recommend upgrading to the latest version of multiparty to secure your applications. If you have a package-lock.json, you can update the dependency by running:
npm update multipartyThe following vulnerabilities have been addressed:
- CVE-2026-8159 in multiparty utility module (High)
- CVE-2026-8161 in multiparty utility module (High)
- CVE-2026-8162 in multiparty utility module (High)
CVE-2026-8159 in multiparty utility module (High)
multiparty versions <= 4.2.3 are vulnerable to regular expression denial of service via filename parsing
A crafted multipart upload with a long header value can cause regex matching in the Content-Disposition filename parser to take seconds, blocking the Node.js event loop. Any service accepting multipart uploads via multiparty is affected. A small header of around 8 KB is sufficient to trigger the vulnerable backtracking.
Affected versions: <= 4.2.3
Patched version: >= 4.3.0
For more details, see GHSA-65x3-rw7q-gx94.
CVE-2026-8161 in multiparty utility module (High)
multiparty versions <= 4.2.3 are vulnerable to denial of service via prototype pollution leading to an uncaught exception
A multipart upload with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString causes the parser to invoke .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Any service accepting multipart uploads via multiparty is affected.
Affected versions: <= 4.2.3
Patched version: >= 4.3.0
For more details, see GHSA-qxch-whhj-8956.
CVE-2026-8162 in multiparty utility module (High)
multiparty versions <= 4.2.3 are vulnerable to denial of service via an uncaught exception in filename* parameter parsing
A multipart upload with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding causes the parser to invoke decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Any service accepting multipart uploads via multiparty is affected.
Affected versions: <= 4.2.3
Patched version: >= 4.3.0
For more details, see GHSA-xh3c-6gcq-g4rv.
We recommend upgrading to the latest version of multiparty to secure your applications.
