Description
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.
Published: 2026-06-12
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The form-data library concatenates the field name and filename arguments into the Content‑Disposition header without escaping carriage return, line feed, or double‑quote characters. This omission allows an attacker-controlled value to terminate the header line and inject arbitrary additional headers or even smuggle entire multipart parts into the request. In practice, an attacker can overwrite downstream form fields such as "is_admin=true", enabling privilege escalation or other unauthorized actions. The weakness is a classic CRLF injection flaw (CWE‑93).

Affected Systems

Any Node.js or JavaScript application that relies on the form-data package, up to version 4.0.5, is affected. The vulnerability is fixed in the newer releases 2.5.6, 3.0.5, and 4.0.6. Applications that employ form-data to build multipart requests from user-supplied field names or filenames are at risk.

Risk and Exploitability

The CVSS score of 8.7 marks this issue as high severity. No EPSS score is available, and the condition is not listed in CISA KEV. Based on the description, the likely attack vector is in services that receive user input—such as JSON keys or file names—and forward them directly to FormData#append. If that occurs, an attacker can manipulate the downstream request, potentially gaining unauthorized access or data tampering.

Generated by OpenCVE AI on June 12, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade form-data to at least version 2.5.6, 3.0.5, or 4.0.6.
  • Replace any calls to FormData#append that use dynamic field names or filenames with static, predefined values; remove untrusted input entirely.
  • Validate and sanitize any field names or filenames that must remain dynamic, ensuring they contain no carriage return, line feed, or quote characters.
  • If an immediate upgrade is not feasible, deploy a proxy or filter that strips or encodes CR, LF, and quote characters from multipart field names and filenames before forwarding them to the backend.

Generated by OpenCVE AI on June 12, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Form-data
Form-data form-data
Vendors & Products Form-data
Form-data form-data

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.
Title form-data does not escape CR/LF/quote in multipart field names and filenames (CRLF injection)
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Form-data Form-data
cve-icon MITRE

Status: PUBLISHED

Assigner: harborist

Published:

Updated: 2026-06-12T19:04:44.024Z

Reserved: 2026-06-12T17:33:29.185Z

Link: CVE-2026-12143

cve-icon Vulnrichment

Updated: 2026-06-12T19:03:56.430Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:26.560

Modified: 2026-06-12T20:16:44.800

Link: CVE-2026-12143

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:30:31Z

Weaknesses
  • CWE-93

    Improper Neutralization of CRLF Sequences ('CRLF Injection')