CVE-2026-8161 - Vulnerability Details

- multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception

Description

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

Published: 2026-05-12

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker to send multipart/form‑data requests whose field names overlap with Object.prototype properties such as __proto__, constructor or toString. When multiparty parses these requests it invokes .push() on the prototype value rather than an array, causing a TypeError. The error bubbles up as an uncaught exception that crashes the Node.js process, effectively denying service to legitimate users.

Affected Systems

Any Node.js application that uses the multiparty package version 4.2.3 or earlier is affected. The issue appears in the npm package multiparty, and all services that accept multipart uploads through this library are potentially impacted. Versions 4.3.0 and above include the fix.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk. The EPSS score was not provided in the CVE data, and the vulnerability is not listed in CISA's KEV catalog, which suggests it is not actively exploited in known campaigns. Based on the description, the attack vector is remote, delivered via crafted HTTP multipart requests, and requires the target to accept such uploads. Based on the description, it is inferred that an attacker does not need privileged access to trigger the crash, making the exploit potentially widespread for services that rely on multiparty.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

multiparty

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.2.3
`4.3.0`	unaffected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the multiparty package to at least version 4.3.0 where the vulnerability is fixed.
If upgrading is not immediately feasible, modify your request parsing logic to sanitize multipart field names by filtering out any that match Object.prototype properties before calling .push().
As an additional mitigation, configure your application to reject multipart requests that contain field names known to collide with Object.prototype properties (e.g., __proto__, constructor, toString) to prevent the unhandled exception.

Generated by OpenCVE AI on May 12, 2026 at 12:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://cna.openjsf.org/security-advisories.html
https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956

History

Tue, 12 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 09:30:00 +0000

Type	Values Removed	Values Added
Description		multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.
Title		multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception
Weaknesses		CWE-1321 CWE-248
References		https://cna.openjsf.org/security-advisories.html https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: openjs

Published: 2026-05-12T08:50:37.685Z

Updated: 2026-05-12T12:32:10.127Z

Reserved: 2026-05-08T10:38:20.438Z

Link: CVE-2026-8161

Vulnrichment

Updated: 2026-05-12T12:32:04.313Z

NVD

Status : Awaiting Analysis

Published: 2026-05-12T10:16:48.987

Modified: 2026-05-12T15:08:22.857

Link: CVE-2026-8161

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T12:15:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object