CVE-2026-8159

Published: May 12, 2026

Modified: May 12, 2026

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

[email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to [email protected] or higher.

Vendor	Product	Versions
multiparty	multiparty	affected `0 - <= 4.2.3` unaffected `4.3.0`

Weaknesses (CWE)

CWE-1333

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94

https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

https://cna.openjsf.org/security-advisories.html

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-8159

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References