CVE-2026-8162: Critical DoS Vulnerability in multiparty npm Package Allows Server Crash via Malformed Request

A critical denial-of-service vulnerability has been identified in the popular multiparty npm package, potentially exposing countless Node.js applications to remote crash attacks. The flaw, tracked as CVE-2026-8162 with a CVSS score of 7.5 (High), affects all versions of multiparty up to and including version 4.2.3.

The vulnerability stems from an uncaught exception within the package's multipart/form-data parser. Attackers can exploit the flaw by sending specially crafted HTTP requests containing a Content-Disposition header with a malformed percent-encoded filename* parameter. When the parser attempts to process this malformed encoding, it triggers an unhandled exception that crashes the affected application process. This attack requires no authentication and can be executed remotely over the network, making it particularly dangerous for publicly accessible APIs and web services that rely on the multiparty package for handling file uploads or form submissions.

Developers using the multiparty package in their applications are strongly advised to update to a patched version immediately. Given the package's widespread use in the Node.js ecosystem for parsing multipart form data, the attack surface could be significant. Organizations should audit their dependency trees to determine if multiparty is present either directly or as a transitive dependency. Additionally, implementing rate limiting and input validation at the API gateway level could provide a temporary mitigation layer while patches are deployed. Monitoring for unusual patterns in Content-Disposition headers may also help detect exploitation attempts targeting this vulnerability.