Back to list

multiparty vulnerable to ReDoS via filename parsing — CVE-2026-8159

GitHub · GitHub · CVE-2026-8159

ID
CVE-2026-8159
Date
Activity
Source
GitHub
Vendor
GitHub
Threat
high
CVSS
7.5
EPSS
0.00055

Summary

### Impact multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the `Content-Disposition` filename parameter parser. A multipart upload with a long header value containing `!filename="1` repeated can cause regex matching to take seconds, blocking the event loop. Any service accepting multipart uploads via multiparty is affected. ### Patches Users should…

Product

npm: multiparty

What to do

General, cautious steps (verify details in the official source):

  • Prioritize patching or mitigation immediately (treat as actively risky).
  • Identify affected product versions in your inventory and verify whether you are impacted.
  • Apply vendor patches/updates or recommended mitigations as soon as available.
  • Read the official advisory for exact affected versions and remediation steps.

Official advisory

Related advisories

GitHub GitHub 2026-W21