{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/multiparty--4.2.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:pillarjs:multiparty:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-8161"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["multiparty (\u003c= 4.2.3)"],"_cs_severities":["medium"],"_cs_tags":["prototype-pollution","denial-of-service","nodejs"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eMultiparty is a Node.js module for handling multipart/form-data requests. Versions 4.2.3 and earlier are vulnerable to a denial-of-service (DoS) attack. By sending a specially crafted \u003ccode\u003emultipart/form-data\u003c/code\u003e request, an attacker can trigger a prototype pollution vulnerability.  Specifically, a field name that overlaps with a property inherited from \u003ccode\u003eObject.prototype\u003c/code\u003e (such as \u003ccode\u003e__proto__\u003c/code\u003e, \u003ccode\u003econstructor\u003c/code\u003e, or \u003ccode\u003etoString\u003c/code\u003e) causes the parser to attempt a \u003ccode\u003e.push()\u003c/code\u003e operation on the prototype value instead of an array. This results in a \u003ccode\u003eTypeError\u003c/code\u003e that is not caught, leading to an uncaught exception that crashes the Node.js process. This affects any service that uses multiparty to handle file uploads or form data.  The vulnerability is identified as CVE-2026-8161.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a web service using a vulnerable version of multiparty (\u0026lt;= 4.2.3) for handling \u003ccode\u003emultipart/form-data\u003c/code\u003e requests.\u003c/li\u003e\n\u003cli\u003eAttacker crafts an HTTP POST request with \u003ccode\u003eContent-Type: multipart/form-data\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a form field where the name of the field is a property of \u003ccode\u003eObject.prototype\u003c/code\u003e, such as \u003ccode\u003e__proto__\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe multiparty library attempts to parse the \u003ccode\u003emultipart/form-data\u003c/code\u003e request.\u003c/li\u003e\n\u003cli\u003eDuring parsing, multiparty attempts to call the \u003ccode\u003e.push()\u003c/code\u003e method on the \u003ccode\u003e__proto__\u003c/code\u003e property. Since \u003ccode\u003e__proto__\u003c/code\u003e is not an array, this results in a \u003ccode\u003eTypeError\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eTypeError\u003c/code\u003e is not caught by the multiparty library\u0026rsquo;s error handling.\u003c/li\u003e\n\u003cli\u003eThe uncaught exception propagates to the Node.js process\u0026rsquo;s event loop.\u003c/li\u003e\n\u003cli\u003eThe Node.js process crashes due to the uncaught exception, causing a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial of service. Any service using the vulnerable multiparty library to handle multipart form data can be crashed by a malicious actor. The number of potential victims is widespread, as multiparty is a commonly used library in Node.js web applications. This can lead to service unavailability and potential data loss if the application does not handle restarts gracefully.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003emultiparty@4.3.0\u003c/code\u003e or higher to patch the vulnerability as per the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-8161 Exploitation Attempt via Multipart Form\u0026rdquo; to detect requests attempting to exploit this vulnerability by sending requests with a field name overlapping with a property of \u003ccode\u003eObject.prototype\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on endpoints that accept multipart form data to mitigate the impact of denial-of-service attacks in general.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T17:38:22Z","date_published":"2026-05-18T17:38:22Z","id":"https://feed.craftedsignal.io/briefs/2026-05-multiparty-dos/","summary":"Multiparty versions 4.2.3 and lower are vulnerable to denial of service via prototype pollution, where a crafted multipart/form-data request with a field name colliding with an Object.prototype property triggers a TypeError, leading to an uncaught exception and process crash.","title":"Multiparty Denial of Service via Prototype Pollution (CVE-2026-8161)","url":"https://feed.craftedsignal.io/briefs/2026-05-multiparty-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Multiparty (\u003c= 4.2.3)","version":"https://jsonfeed.org/version/1.1"}