CVE-2026-8159 - Vulnerability Details

- multiparty vulnerable to ReDoS via filename parsing

Description

multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to multiparty@4.3.0 or higher.

Published: 2026-05-12

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

multiparty version 4.2.3 and earlier parse the filename field of multipart requests using a regular expression. A maliciously crafted header can trigger catastrophic backtracking, causing the server to consume CPU for seconds and potentially block the event loop. The consequence for the affected service is a denial of service, preventing legitimate clients from completing requests or causing the node process to become unresponsive.

Affected Systems

The vulnerability affects the multiparty library component in Node.js applications that accept multipart form data. Any application that imports multiparty@4.2.3 or lower is at risk; services that rely on older versions of the library are impacted.

Risk and Exploitability

The CVSS score of 7.5 reflects a high potential impact of a denial of service when an attacker can send a specially crafted multipart request. No EPSS score is currently available, and the issue is not listed in the CISA KEV catalog. The attack path requires the ability to submit multipart data to the vulnerable endpoint, which is typically accessible without authentication on publicly exposed upload APIs. Once the request is processed, the regular expression engine can consume significant CPU resources, degrading service availability for all users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

multiparty

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.2.3
`4.3.0`	unaffected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade multiparty to version 4.3.0 or newer to eliminate the backtracking flaw.
If upgrading immediately is not possible, enforce a strict upload size limit at a proxy or gateway layer to reduce the risk, understanding that a header as small as 8 KB can still trigger the issue.
Monitor the application’s event loop and CPU usage for spikes that may indicate an abuse attempt and respond by temporarily blocking traffic if a service disruption is detected.

Generated by OpenCVE AI on May 12, 2026 at 10:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://cna.openjsf.org/security-advisories.html
https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

History

Tue, 12 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to multiparty@4.3.0 or higher.
Title		multiparty vulnerable to ReDoS via filename parsing
Weaknesses		CWE-1333
References		https://cna.openjsf.org/security-advisories.html https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94 https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: openjs

Published: 2026-05-12T08:35:39.564Z

Updated: 2026-05-12T12:33:59.418Z

Reserved: 2026-05-08T09:45:28.532Z

Link: CVE-2026-8159

Vulnrichment

Updated: 2026-05-12T12:33:56.826Z

NVD

Status : Awaiting Analysis

Published: 2026-05-12T10:16:48.857

Modified: 2026-05-12T15:08:22.857

Link: CVE-2026-8159

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T10:45:14Z

Weaknesses

CWE-1333

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object