Skip to main content

form-data EUVDEUVD-2026-36524

| CVE-2026-12143 HIGH
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-06-12 harborist GHSA-hmw2-7cc7-3qxx
8.7
CVSS 4.0 · Vendor: harborist
Share

Severity by source

Vendor (harborist) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Network-reachable header injection with no auth or UI; scope changes because form-data corrupts a downstream parser's view of the request, with integrity-only impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (harborist).

CVSS VectorVendor: harborist

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 12, 2026 - 19:25 vuln.today
Analysis Generated
Jun 12, 2026 - 19:25 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1,051 npm packages depend on form-data (164 direct, 891 indirect)

Ecosystem-wide dependent count for version 3.0.0.

DescriptionCVE.org

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the field argument to FormData#append and the filename option are concatenated verbatim into the Content-Disposition header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set is_admin=true) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and " as %0D, %0A, and %22 in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

AnalysisAI

CRLF injection in the form-data Node.js library (versions through 4.0.5) allows remote attackers to inject arbitrary multipart headers or smuggle additional form parts by supplying attacker-controlled field names or filenames containing CR, LF, or double-quote characters. The library concatenates these values verbatim into the Content-Disposition header without escaping, enabling parameter tampering (e.g., overriding is_admin=true) against downstream multipart parsers. No public exploit identified at time of analysis, though the vulnerability is patched in 2.5.6, 3.0.5, and 4.0.6.

Technical ContextAI

form-data is a widely used Node.js library (npm: form-data) for constructing readable multipart/form-data streams, commonly used by HTTP clients like request, axios, and node-fetch wrappers when forwarding multipart bodies. The flaw is a CWE-93 (CRLF Injection) issue: the FormData#append method's field argument and the filename option are inserted directly into the Content-Disposition header line without sanitizing the CR (\r), LF (\n), or double-quote (") characters that delimit MIME headers and quoted parameter values. The WHATWG HTML specification's multipart/form-data encoding algorithm mandates that browsers escape these characters as %0D, %0A, and %22 respectively - the fix aligns the library's serialization with this browser-side behavior. The affected CPE is cpe:2.3:a:form-data:form-data:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patches are available: upgrade form-data to 4.0.6 (4.x line), 3.0.5 (3.x line), or 2.5.6 (2.x line), per the advisory at https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx and commits 64190db, be3f3cf, and c7133499 on GitHub. Because form-data is frequently a transitive dependency, run npm ls form-data (or equivalent for yarn/pnpm) to identify indirect consumers and use overrides/resolutions to force the patched version. As a compensating control until upgrade, audit application code to ensure field names and filenames passed to FormData#append are never derived from untrusted input - restrict them to a fixed allowlist of trusted strings, or pre-validate/strip CR (\r), LF (\n), and double-quote (") characters before invocation; the trade-off is that this requires identifying every call site, and missed call sites remain exploitable.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 12 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-36524 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy