CVE-2026-8162: Denial-of-Service Flaw Discovered in Multiparty Form-Data Parser

Security researchers have identified a high-severity vulnerability, tracked as CVE-2026-8162, affecting the multiparty library for Node.js. The flaw carries a CVSS score of 7.5 (High) and enables denial-of-service attacks through a specially crafted HTTP request that triggers an uncaught exception in the parser. Organizations using the multiparty package in production environments face immediate exposure if left unpatched.

The vulnerability resides in how the library handles multipart/form-data requests. Specifically, when a Content-Disposition header contains a filename* parameter with malformed percent-encoding, the parser fails to process the input gracefully, causing an uncaught exception that crashes the application. Versions 4.2.3 and all prior releases are affected. The attack requires no authentication and can be executed remotely by sending a malicious request to any endpoint that accepts file uploads processed by the library.

Developers are urged to verify whether their applications directly or transitively depend on multiparty and apply patches as they become available. In the interim, implementing input validation at the application layer—particularly normalizing percent-encoded characters in Content-Disposition headers before passing data to the parser—may reduce exposure. Security teams should monitor for unusual patterns in multipart request logs and consider rate-limiting or restricting external-facing upload endpoints as a compensating control. Further technical details and a link to the official vulnerability disclosure are available through the cited sources.