Skip to main content

multiparty CVE-2026-8161

| EUVDEUVD-2026-29440 HIGH
Uncaught Exception (CWE-248)
2026-05-12 openjs GHSA-qxch-whhj-8956
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 10:05 vuln.today
CVE Published
May 12, 2026 - 08:50 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 967 npm packages depend on multiparty (515 direct, 462 indirect)

Ecosystem-wide dependent count for version 4.3.0.

DescriptionCVE.org

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

AnalysisAI

Denial of service in multiparty (Node.js multipart/form-data parser) versions ≤4.2.3 crashes Node.js processes when attackers send crafted form uploads with field names matching JavaScript Object prototype properties (__proto__, constructor, toString). CVSS 7.5 (High) with network vector and no authentication required. No public exploit code identified at time of analysis, but exploitation is trivial given the straightforward prototype pollution attack pattern. Services accepting file uploads via multiparty are immediately affected until upgraded to 4.3.0+.

Technical ContextAI

multiparty is a widely-used Node.js library for parsing multipart/form-data HTTP requests, commonly used for file uploads in Express.js and other web frameworks. The vulnerability stems from CWE-248 (Uncaught Exception), where the parser uses JavaScript object property access without validating against inherited prototype chain properties. When processing field names, multiparty attempts to call .push() on what it expects to be an array but is actually a function or non-array prototype property (Object.prototype.constructor, Object.prototype.toString, or the notorious __proto__). This throws a TypeError that is not caught by the parser's error handling, allowing it to propagate to the Node.js event loop and terminate the process. The CPE cpe:2.3:a:multiparty:multiparty:*:*:*:*:*:*:*:* confirms this affects the npm package itself rather than a specific application implementation. Prototype pollution vulnerabilities are well-understood in the Node.js ecosystem, making this attack vector predictable despite no public POC being confirmed.

RemediationAI

Upgrade multiparty to version 4.3.0 or higher immediately-this is the only effective fix per vendor advisory. Update package.json dependency to "multiparty": "^4.3.0" and run npm update or yarn upgrade, then restart application servers. Verify upgrade with npm ls multiparty to confirm no transitive dependencies pin older versions. The vendor explicitly states no workarounds exist, meaning compensating controls cannot substitute for patching. For organizations requiring temporary risk reduction before upgrade windows: implement Web Application Firewall (WAF) rules to block HTTP requests with field names matching __proto__, constructor, toString, or other Object.prototype properties (note: this is fragile-attackers may find alternate property names, and blocking may break legitimate functionality using these strings in non-malicious contexts). Rate limiting and request size restrictions provide minimal defense-in-depth but do not prevent exploitation. Applications unable to upgrade immediately should consider temporarily disabling file upload features or migrating to alternative parsers (busboy, formidable) until patching is feasible. Advisory reference: https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956

Share

CVE-2026-8161 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy