EUVD-2026-29441
GHSA-xh3c-6gcq-g4rv
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 966 npm packages depend on multiparty (514 direct, 462 indirect)
Ecosystem-wide dependent count for version 4.3.0.
DescriptionNVD
multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.
AnalysisAI
Denial of service crashes multiparty Node.js parser versions ≤4.2.3 when processing malformed percent-encoded filename* parameters in multipart/form-data uploads. Attackers can remotely crash any Node.js service using vulnerable multiparty versions by sending a single crafted HTTP request with no authentication required (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: inventory all Node.js applications and dependencies using multiparty ≤4.2.3 via package-lock.json and npm audit scanning. Within 7 days: upgrade multiparty to version 4.3.0 or later across all affected applications and redeploy. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today