Skip to main content

multiparty EUVDEUVD-2026-29441

| CVE-2026-8162 HIGH
Improper Handling of Exceptional Conditions (CWE-755)
2026-05-12 openjs GHSA-xh3c-6gcq-g4rv
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 10:05 vuln.today
CVE Published
May 12, 2026 - 09:05 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 967 npm packages depend on multiparty (515 direct, 462 indirect)

Ecosystem-wide dependent count for version 4.3.0.

DescriptionCVE.org

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

AnalysisAI

Denial of service crashes multiparty Node.js parser versions ≤4.2.3 when processing malformed percent-encoded filename* parameters in multipart/form-data uploads. Attackers can remotely crash any Node.js service using vulnerable multiparty versions by sending a single crafted HTTP request with no authentication required (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, but exploitation is trivial given the straightforward attack vector. Vendor-released patch: multiparty@4.3.0.

Technical ContextAI

multiparty is a widely-used Node.js library for parsing multipart/form-data (RFC 7578), commonly used in web applications handling file uploads. The vulnerability resides in the parser's handling of RFC 8187 extended filename parameters (filename*). Per RFC 8187, filename* supports percent-encoded UTF-8 values. The parser calls JavaScript's native decodeURI() function on these values without exception handling. When an attacker sends malformed percent-encoding (e.g., incomplete sequences like '%E0%A' or invalid hex like '%ZZ'), decodeURI() throws a URIError exception. Because multiparty lacks try/catch wrapping this call, the exception propagates uncaught through the Node.js event loop, triggering an unhandled exception that terminates the entire process. This is classified as CWE-755 (Improper Handling of Exceptional Conditions), specifically failing to anticipate and handle predictable error states from external input parsing. The affected CPE confirms impact across all multiparty versions prior to the fix.

RemediationAI

Upgrade multiparty to version 4.3.0 or higher immediately, as confirmed by the vendor advisory at https://github.com/pillarjs/multiparty/security/advisories/GHSA-xh3c-6gcq-g4rv. For Node.js projects, run 'npm install multiparty@4.3.0' or 'npm update multiparty' and verify the updated version in package-lock.json. The fix adds proper exception handling around decodeURI() calls to catch URIError and handle malformed input gracefully without crashing. No workarounds exist per the CVE description-the only effective remediation is upgrading to the patched version. If immediate patching is not feasible, implement application-level process restart mechanisms (PM2, systemd with Restart=always, Kubernetes liveness probes) to automatically recover from crashes, though this only mitigates availability duration and does not prevent the denial-of-service condition. Consider rate limiting on upload endpoints to slow repeated crash attempts, but recognize this is compensating control only and upgrading remains mandatory. Review OpenJS Foundation security advisories at https://cna.openjsf.org/security-advisories.html for additional context.

Share

EUVD-2026-29441 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy