Form Data
Monthly
CRLF injection in the form-data Node.js library (versions through 4.0.5) allows remote attackers to inject arbitrary multipart headers or smuggle additional form parts by supplying attacker-controlled field names or filenames containing CR, LF, or double-quote characters. The library concatenates these values verbatim into the Content-Disposition header without escaping, enabling parameter tampering (e.g., overriding is_admin=true) against downstream multipart parsers. No public exploit identified at time of analysis, though the vulnerability is patched in 2.5.6, 3.0.5, and 4.0.6.
CRLF injection in the form-data Node.js library (versions through 4.0.5) allows remote attackers to inject arbitrary multipart headers or smuggle additional form parts by supplying attacker-controlled field names or filenames containing CR, LF, or double-quote characters. The library concatenates these values verbatim into the Content-Disposition header without escaping, enabling parameter tampering (e.g., overriding is_admin=true) against downstream multipart parsers. No public exploit identified at time of analysis, though the vulnerability is patched in 2.5.6, 3.0.5, and 4.0.6.