Fluid Attacks Database

Description

multiparty vulnerable to ReDoS via filename parsing

Impact

[email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A multipart upload with a long header value containing !filename="1 repeated can cause regex matching to take seconds, blocking the event loop. Any service accepting multipart uploads via multiparty is affected.

Patches

Users should upgrade to [email protected] or higher.

Workarounds

None. Limiting upload sizes at the proxy/gateway layer reduces but does not eliminate the attack surface, since a small ~8 KB header is sufficient to trigger the vulnerable backtracking.

Resources

OWASP: Regular expression Denial of Service (ReDoS)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	node-multiparty	=4.2.3-3 \|\| =4.2.3-4 \|\| =4.2.3-5 \|\| >=0 <4.3.0-1	4.3.0-1
debian 11	node-multiparty	=4.2.2-2 \|\| =4.2.2-3 \|\| =4.2.3-1 \|\| =4.2.3-2 \|\| =4.2.3-3 \|\| =4.2.3-4 \|\| =4.2.3-5 \|\| =4.3.0+~4.2.1-1 \|\| =4.3.0-1	-
debian 12	node-multiparty	=4.2.3-2 \|\| =4.2.3-3 \|\| =4.2.3-4 \|\| =4.2.3-5 \|\| =4.3.0+~4.2.1-1 \|\| =4.3.0-1	-
debian 13	node-multiparty	=4.2.3-3 \|\| =4.2.3-4 \|\| =4.2.3-5 \|\| =4.3.0+~4.2.1-1 \|\| =4.3.0-1	-
npm	multiparty	>=0 <4.3.0	4.3.0

Aliases

1. CVE-2026-81592. NVD-2026-81593. OSV-DEBIAN-2026-81594. OSV-2026-81595. GHSA-65x3-rw7q-gx946. GCVE-2026-81597. SECURITY-TRACKER-CVE-2026-8159

References

1. https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx942. https://cna.openjsf.org/security-advisories.html3. https://github.com/pillarjs/multiparty/releases/tag/v4.3.04. https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS