Skip to main content

Form Data

1 CVEs product

Monthly

CVE-2026-12143 npm HIGH PATCH GHSA This Week

CRLF injection in the form-data Node.js library (versions through 4.0.5) allows remote attackers to inject arbitrary multipart headers or smuggle additional form parts by supplying attacker-controlled field names or filenames containing CR, LF, or double-quote characters. The library concatenates these values verbatim into the Content-Disposition header without escaping, enabling parameter tampering (e.g., overriding is_admin=true) against downstream multipart parsers. No public exploit identified at time of analysis, though the vulnerability is patched in 2.5.6, 3.0.5, and 4.0.6.

Code Injection Form Data
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
EPSS 0% CVSS 8.7
HIGH PATCH This Week

CRLF injection in the form-data Node.js library (versions through 4.0.5) allows remote attackers to inject arbitrary multipart headers or smuggle additional form parts by supplying attacker-controlled field names or filenames containing CR, LF, or double-quote characters. The library concatenates these values verbatim into the Content-Disposition header without escaping, enabling parameter tampering (e.g., overriding is_admin=true) against downstream multipart parsers. No public exploit identified at time of analysis, though the vulnerability is patched in 2.5.6, 3.0.5, and 4.0.6.

Code Injection Form Data
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy