Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 967 npm packages depend on multiparty (515 direct, 462 indirect)
Ecosystem-wide dependent count for version 4.3.0.
DescriptionCVE.org
multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.
AnalysisAI
Denial of service in multiparty (Node.js multipart/form-data parser) versions ≤4.2.3 crashes Node.js processes when attackers send crafted form uploads with field names matching JavaScript Object prototype properties (__proto__, constructor, toString). CVSS 7.5 (High) with network vector and no authentication required. No public exploit code identified at time of analysis, but exploitation is trivial given the straightforward prototype pollution attack pattern. Services accepting file uploads via multiparty are immediately affected until upgraded to 4.3.0+.
Technical ContextAI
multiparty is a widely-used Node.js library for parsing multipart/form-data HTTP requests, commonly used for file uploads in Express.js and other web frameworks. The vulnerability stems from CWE-248 (Uncaught Exception), where the parser uses JavaScript object property access without validating against inherited prototype chain properties. When processing field names, multiparty attempts to call .push() on what it expects to be an array but is actually a function or non-array prototype property (Object.prototype.constructor, Object.prototype.toString, or the notorious __proto__). This throws a TypeError that is not caught by the parser's error handling, allowing it to propagate to the Node.js event loop and terminate the process. The CPE cpe:2.3:a:multiparty:multiparty:*:*:*:*:*:*:*:* confirms this affects the npm package itself rather than a specific application implementation. Prototype pollution vulnerabilities are well-understood in the Node.js ecosystem, making this attack vector predictable despite no public POC being confirmed.
RemediationAI
Upgrade multiparty to version 4.3.0 or higher immediately-this is the only effective fix per vendor advisory. Update package.json dependency to "multiparty": "^4.3.0" and run npm update or yarn upgrade, then restart application servers. Verify upgrade with npm ls multiparty to confirm no transitive dependencies pin older versions. The vendor explicitly states no workarounds exist, meaning compensating controls cannot substitute for patching. For organizations requiring temporary risk reduction before upgrade windows: implement Web Application Firewall (WAF) rules to block HTTP requests with field names matching __proto__, constructor, toString, or other Object.prototype properties (note: this is fragile-attackers may find alternate property names, and blocking may break legitimate functionality using these strings in non-malicious contexts). Rate limiting and request size restrictions provide minimal defense-in-depth but do not prevent exploitation. Applications unable to upgrade immediately should consider temporarily disabling file upload features or migrating to alternative parsers (busboy, formidable) until patching is feasible. Advisory reference: https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956
More in Multiparty
View allSame weakness CWE-248 – Uncaught Exception
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29440
GHSA-qxch-whhj-8956