Description
multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.
Published: 2026-05-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malformed percent-encoding in the filename* parameter of a multipart/form-data request triggers an uncaught exception in the multiparty parser. The parser calls decodeURI without a try/catch block, so the resulting URIError propagates and causes the server process to crash. This is a denial of service vulnerability classified as CWE‑755.

Affected Systems

The vulnerability exists in multiparty version 4.2.3 and all earlier releases. Any application that uses this library to handle multipart uploads is potentially exposed unless it has been upgraded to version 4.3.0 or later.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk. While EPSS data is not available and the issue is not listed in the CISA KEV catalog, the vulnerability can be exploited by an attacker who can send a crafted multipart request to the target service. The likely attack vector is external, directed at the upload endpoint, and does not require authentication. The impact is immediate denial of service due to process termination.

Generated by OpenCVE AI on May 12, 2026 at 10:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade multiparty to version 4.3.0 or newer, as the issue has been resolved in that release.
  • If an upgrade is not immediately possible, replace multiparty with a different multipart parsing library that properly validates filename* values.
  • Implement error handling around the upload middleware to catch and recover from unexpected exceptions, preventing a process crash.
  • Monitor application logs and process health to detect accidental crashes and trigger alerts for rapid incident response.

Generated by OpenCVE AI on May 12, 2026 at 10:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.
Title multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing
Weaknesses CWE-755
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-05-12T12:33:12.647Z

Reserved: 2026-05-08T11:05:42.781Z

Link: CVE-2026-8162

cve-icon Vulnrichment

Updated: 2026-05-12T12:33:08.706Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T10:16:49.110

Modified: 2026-05-12T15:08:22.857

Link: CVE-2026-8162

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T10:45:14Z

Weaknesses