Fluid Attacks Database

Description

multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception

Impact

[email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property (e.g., __proto__, constructor, toString), the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Any service accepting multipart uploads via multiparty is affected.

Patches

Users should upgrade to [email protected] or higher.

Workarounds

None.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	node-multiparty	=4.2.2-2 \|\| =4.2.2-3 \|\| =4.2.3-1 \|\| =4.2.3-2 \|\| =4.2.3-3 \|\| =4.2.3-4 \|\| =4.2.3-5 \|\| =4.3.0+~4.2.1-1 \|\| =4.3.0-1	-
debian 12	node-multiparty	=4.2.3-2 \|\| =4.2.3-3 \|\| =4.2.3-4 \|\| =4.2.3-5 \|\| =4.3.0+~4.2.1-1 \|\| =4.3.0-1	-
debian 13	node-multiparty	=4.2.3-3 \|\| =4.2.3-4 \|\| =4.2.3-5 \|\| =4.3.0+~4.2.1-1 \|\| =4.3.0-1	-
debian 14	node-multiparty	=4.2.3-3 \|\| =4.2.3-4 \|\| =4.2.3-5 \|\| >=0 <4.3.0-1	4.3.0-1
npm	multiparty	>=0 <4.3.0	4.3.0

Aliases

1. CVE-2026-81612. NVD-2026-81613. OSV-DEBIAN-2026-81614. OSV-2026-81615. GHSA-qxch-whhj-89566. GCVE-2026-81617. SECURITY-TRACKER-CVE-2026-8161

References

1. https://github.com/Ser0n-ath/multiparty-CVE-2026-81612. https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-89563. https://cna.openjsf.org/security-advisories.html4. https://github.com/pillarjs/multiparty/releases/tag/v4.3.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.