Advisories for Npm/Multiparty package

2026

multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property (e.g., proto, constructor, toString), the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Any service accepting multipart uploads via multiparty is affected.

multiparty vulnerable to ReDoS via filename parsing

multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A multipart upload with a long header value containing !filename="1 repeated can cause regex matching to take seconds, blocking the event loop. Any service accepting multipart uploads via multiparty is affected.

multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition: filename*=utf-8'' header containing a malformed percent-encoding (e.g., %FF, %GG), the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Any service accepting multipart uploads via multiparty is affected.