Fluid Attacks Database

Description

multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing

Impact

[email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition: filename*=utf-8'' header containing a malformed percent-encoding (e.g., %FF, %GG), the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Any service accepting multipart uploads via multiparty is affected.

Patches

Users should upgrade to [email protected] or higher.

Workarounds

None.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	node-multiparty	=4.2.3-3 \|\| =4.2.3-4 \|\| =4.2.3-5 \|\| >=0 <4.3.0-1	4.3.0-1
debian 11	node-multiparty	=4.2.2-2 \|\| =4.2.2-3 \|\| =4.2.3-1 \|\| =4.2.3-2 \|\| =4.2.3-3 \|\| =4.2.3-4 \|\| =4.2.3-5 \|\| =4.3.0+~4.2.1-1 \|\| =4.3.0-1	-
debian 12	node-multiparty	=4.2.3-2 \|\| =4.2.3-3 \|\| =4.2.3-4 \|\| =4.2.3-5 \|\| =4.3.0+~4.2.1-1 \|\| =4.3.0-1	-
debian 13	node-multiparty	=4.2.3-3 \|\| =4.2.3-4 \|\| =4.2.3-5 \|\| =4.3.0+~4.2.1-1 \|\| =4.3.0-1	-
npm	multiparty	>=0 <4.3.0	4.3.0

Aliases

1. CVE-2026-81622. NVD-2026-81623. OSV-DEBIAN-2026-81624. OSV-2026-81625. GHSA-xh3c-6gcq-g4rv6. GCVE-2026-81627. SECURITY-TRACKER-CVE-2026-8162

References

1. https://github.com/pillarjs/multiparty/security/advisories/GHSA-xh3c-6gcq-g4rv2. https://cna.openjsf.org/security-advisories.html3. https://github.com/pillarjs/multiparty/releases/tag/v4.3.0