What is the CVSS score of CVE-2026-8159?

CVE-2026-8159 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of multiparty are affected by CVE-2026-8159?

The multiparty npm package (versions ≤4.2.3) contains a regular expression denial of service vulnerability that allows unauthenticated attackers to exhaust Node.js server resources through malformed…. A patch is available.

multiparty CVE-2026-8159

EUVD-2026-29439 HIGH

Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)

2026-05-12 openjs

GHSA-65x3-rw7q-gx94

Denial Of Service

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

May 12, 2026 - 10:05 vuln.today

CVE Published

May 12, 2026 - 08:35 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

966 npm packages depend on multiparty (514 direct, 462 indirect)

Ecosystem-wide dependent count for version 4.3.0.

DescriptionNVD

multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to multiparty@4.3.0 or higher.

AnalysisAI

Regular expression denial of service in multiparty (npm package) versions 4.2.3 and below allows remote unauthenticated attackers to block the Node.js event loop for seconds via crafted Content-Disposition headers in multipart uploads. The vulnerability triggers catastrophic backtracking in the filename parameter parser with headers as small as 8 KB. …

RemediationAI

Within 24 hours: Audit all Node.js applications for multiparty package usage via 'npm list multiparty' and document current versions in use. Within 7 days: Upgrade multiparty to version 4.3.0 or later across all development, staging, and production environments, and test file upload functionality end-to-end. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-8159 vulnerability details – vuln.today

Back

multiparty CVE-2026-8159

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code