Zurück zur Liste

multiparty vulnerable to ReDoS via filename parsing — CVE-2026-8159

GitHub · GitHub · CVE-2026-8159

ID
CVE-2026-8159

Datum
2026-05-18

Activity
2026-05-18

Quelle
GitHub

Vendor
GitHub

Risiko
high

CVSS
7.5

EPSS
0.00055

Zusammenfassung

### Impact multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the `Content-Disposition` filename parameter parser. A multipart upload with a long header value containing `!filename="1` repeated can cause regex matching to take seconds, blocking the event loop. Any service accepting multipart uploads via multiparty is affected. ### Patches Users should…

Produkt

npm: multiparty

Was tun?

Allgemeine, vorsichtige Schritte (bitte prüfe die offizielle Quelle für Details):

Priorisiere sofort Patches oder Mitigations (hohes akutes Risiko).
Identifiziere betroffene Produktversionen und prüfe, ob du betroffen bist.
Spiele Hersteller-Updates/Patches ein oder setze empfohlene Mitigations um.
Lies das offizielle Advisory für betroffene Versionen und konkrete Schritte.

Offizielles Advisory

Mehr dazu

GitHub GitHub 2026-W21

File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection

2026-06-13 CVE-2026-54090

highGitHub GitHub 2026-W24

ConnectBot SSH Client Library: Excessive allocation and integer overflow in DER private-key parsing

2026-06-12 GHSA-VC8P-8PXG-RFWG

mediumGitHub GitHub 2026-W24

ConnectBot SSH Client Library: Unbounded SSH field lengths can cause excessive memory allocation

2026-06-12 GHSA-CH3Q-CW5R-F4HG

mediumGitHub GitHub 2026-W24

File Browser has a DoS Vulnerability via Public Login API

2026-06-12 CVE-2026-54092

highGitHub GitHub 2026-W24

File Browser has incorrect access control for public directory shares via rule path rebasing

2026-06-12 CVE-2026-54091

highGitHub GitHub 2026-W24

File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix

2026-06-12 CVE-2026-54097

highGitHub GitHub 2026-W24