Description
multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.
Published: 2026-05-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malformed percent-encoding in the filename* parameter of a multipart/form-data request triggers an uncaught exception in the multiparty parser. The parser calls decodeURI without a try/catch block, so the resulting URIError propagates and causes the server process to crash. This is a denial of service vulnerability classified as CWE‑755.

Affected Systems

The vulnerability exists in multiparty version 4.2.3 and all earlier releases. Any application that uses this library to handle multipart uploads is potentially exposed unless it has been upgraded to version 4.3.0 or later.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk. While EPSS data is not available and the issue is not listed in the CISA KEV catalog, the vulnerability can be exploited by an attacker who can send a crafted multipart request to the target service. The likely attack vector is external, directed at the upload endpoint, and does not require authentication. The impact is immediate denial of service due to process termination.

Generated by OpenCVE AI on May 12, 2026 at 10:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade multiparty to version 4.3.0 or newer, as the issue has been resolved in that release.
  • If an upgrade is not immediately possible, replace multiparty with a different multipart parsing library that properly validates filename* values.
  • Implement error handling around the upload middleware to catch and recover from unexpected exceptions, preventing a process crash.
  • Monitor application logs and process health to detect accidental crashes and trigger alerts for rapid incident response.

Generated by OpenCVE AI on May 12, 2026 at 10:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xh3c-6gcq-g4rv multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing
History

Wed, 13 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Pillarjs
Pillarjs multiparty
CPEs cpe:2.3:a:pillarjs:multiparty:*:*:*:*:*:node.js:*:*
Vendors & Products Pillarjs
Pillarjs multiparty

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Multiparty
Multiparty multiparty
Vendors & Products Multiparty
Multiparty multiparty

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.
Title multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing
Weaknesses CWE-755
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Multiparty Multiparty
Pillarjs Multiparty
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-05-12T12:33:12.647Z

Reserved: 2026-05-08T11:05:42.781Z

Link: CVE-2026-8162

cve-icon Vulnrichment

Updated: 2026-05-12T12:33:08.706Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T10:16:49.110

Modified: 2026-05-13T14:43:47.950

Link: CVE-2026-8162

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:39:13Z

Weaknesses