Skip to main content

multiparty CVE-2026-8159

| EUVDEUVD-2026-29439 HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-05-12 openjs GHSA-65x3-rw7q-gx94
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 10:05 vuln.today
CVE Published
May 12, 2026 - 08:35 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 967 npm packages depend on multiparty (515 direct, 462 indirect)

Ecosystem-wide dependent count for version 4.3.0.

DescriptionCVE.org

multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to multiparty@4.3.0 or higher.

AnalysisAI

Regular expression denial of service in multiparty (npm package) versions 4.2.3 and below allows remote unauthenticated attackers to block the Node.js event loop for seconds via crafted Content-Disposition headers in multipart uploads. The vulnerability triggers catastrophic backtracking in the filename parameter parser with headers as small as 8 KB. Fixed in multiparty 4.3.0. EPSS data not available; no active exploitation confirmed at time of analysis, but the low complexity (AV:N/AC:L/PR:N/UI:N) and availability of detailed public advisory increase weaponization risk for any web service accepting file uploads through this library.

Technical ContextAI

multiparty is a popular Node.js middleware library for parsing multipart/form-data, commonly used in Express.js and similar frameworks for handling file uploads. The vulnerability resides in CWE-1333 (Inefficient Regular Expression Complexity), specifically in the regex pattern used to parse the Content-Disposition filename parameter during multipart boundary processing. Regular expression denial of service (ReDoS) occurs when a regex engine exhibits exponential time complexity on certain input patterns, causing catastrophic backtracking. In Node.js single-threaded event loop architecture, regex operations are synchronous and blocking, meaning a slow regex match freezes the entire application. The affected CPE cpe:2.3:a:multiparty:multiparty:*:*:*:*:*:*:*:* covers all versions below the patched release. The OpenJS Foundation (package reporter) maintains this library as part of the pillarjs organization's HTTP utility ecosystem.

RemediationAI

Upgrade multiparty to version 4.3.0 or higher immediately, which contains the patched regex pattern that eliminates catastrophic backtracking. Update package.json dependency and run npm update multiparty or yarn upgrade multiparty, then verify the installed version with npm list multiparty. Review transitive dependencies using npm ls multiparty to identify indirect inclusions through other packages like connect-multiparty or formidable-based middleware. If immediate upgrade is blocked by compatibility testing, implement compensating controls: deploy rate limiting at the reverse proxy layer (e.g., nginx limit_req or AWS WAF) to restrict requests per IP to 10-20/minute; add application-level request timeout middleware that aborts processing after 2-3 seconds using Node.js AbortController; configure web application firewalls to inspect and block multipart requests with Content-Disposition headers exceeding 4 KB; implement request queue depth limits to prevent event loop starvation under attack. Note these mitigations reduce but do not eliminate risk, as the 8 KB trigger is below most size limits, and sophisticated attackers can rotate IPs to bypass rate limiting. Long-term, eliminate this library if not actively maintained or migrate to alternatives like busboy (4.x+) or formidable that have addressed ReDoS concerns. Reference the OpenJS Foundation security advisories at https://cna.openjsf.org/security-advisories.html and OWASP ReDoS guidance at https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS for detection patterns.

Share

CVE-2026-8159 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy