Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 967 npm packages depend on multiparty (515 direct, 462 indirect)
Ecosystem-wide dependent count for version 4.3.0.
DescriptionCVE.org
multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.
AnalysisAI
Denial of service crashes multiparty Node.js parser versions ≤4.2.3 when processing malformed percent-encoded filename* parameters in multipart/form-data uploads. Attackers can remotely crash any Node.js service using vulnerable multiparty versions by sending a single crafted HTTP request with no authentication required (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, but exploitation is trivial given the straightforward attack vector. Vendor-released patch: multiparty@4.3.0.
Technical ContextAI
multiparty is a widely-used Node.js library for parsing multipart/form-data (RFC 7578), commonly used in web applications handling file uploads. The vulnerability resides in the parser's handling of RFC 8187 extended filename parameters (filename*). Per RFC 8187, filename* supports percent-encoded UTF-8 values. The parser calls JavaScript's native decodeURI() function on these values without exception handling. When an attacker sends malformed percent-encoding (e.g., incomplete sequences like '%E0%A' or invalid hex like '%ZZ'), decodeURI() throws a URIError exception. Because multiparty lacks try/catch wrapping this call, the exception propagates uncaught through the Node.js event loop, triggering an unhandled exception that terminates the entire process. This is classified as CWE-755 (Improper Handling of Exceptional Conditions), specifically failing to anticipate and handle predictable error states from external input parsing. The affected CPE confirms impact across all multiparty versions prior to the fix.
RemediationAI
Upgrade multiparty to version 4.3.0 or higher immediately, as confirmed by the vendor advisory at https://github.com/pillarjs/multiparty/security/advisories/GHSA-xh3c-6gcq-g4rv. For Node.js projects, run 'npm install multiparty@4.3.0' or 'npm update multiparty' and verify the updated version in package-lock.json. The fix adds proper exception handling around decodeURI() calls to catch URIError and handle malformed input gracefully without crashing. No workarounds exist per the CVE description-the only effective remediation is upgrading to the patched version. If immediate patching is not feasible, implement application-level process restart mechanisms (PM2, systemd with Restart=always, Kubernetes liveness probes) to automatically recover from crashes, though this only mitigates availability duration and does not prevent the denial-of-service condition. Consider rate limiting on upload endpoints to slow repeated crash attempts, but recognize this is compensating control only and upgrading remains mandatory. Review OpenJS Foundation security advisories at https://cna.openjsf.org/security-advisories.html for additional context.
More in Multiparty
View allDenial of service in multiparty (Node.js multipart/form-data parser) versions ≤4.2.3 crashes Node.js processes when atta
Regular expression denial of service in multiparty (npm package) versions 4.2.3 and below allows remote unauthenticated
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29441
GHSA-xh3c-6gcq-g4rv