CVE-2026-12143 Overview
CVE-2026-12143 is a Carriage Return Line Feed (CRLF) injection vulnerability in the form-data Node.js library, a widely used package for creating readable multipart/form-data streams. The flaw exists in versions through 4.0.5 and is classified as CWE-93. The field argument to FormData#append and the filename option are concatenated verbatim into the Content-Disposition header. Carriage return, line feed, and double-quote characters are not escaped. Attackers who control these inputs can terminate the header line and inject additional headers or entire multipart parts.
Critical Impact
Attackers can inject or override form fields, such as setting is_admin=true, in requests forwarded to backend parsers.
Affected Products
- form-data npm package versions through 4.0.5 (3.x branch)
- form-data npm package 2.x branch through 2.5.5
- Applications passing untrusted input as multipart field names or filenames
Discovery Timeline
- 2026-06-12 - CVE-2026-12143 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-12143
Vulnerability Analysis
The form-data library constructs multipart/form-data requests by writing Content-Disposition headers for each form part. The vulnerable code concatenates the developer-supplied field name and filename option directly into the header without sanitization. Attackers can inject \r\n sequences to terminate the header line. This permits insertion of arbitrary new headers or whole multipart sections into the outgoing request.
The vulnerability is exploitable only when an application uses attacker-controlled input as a field name or filename. A common pattern is an API gateway that converts JSON object keys into multipart field names before forwarding to a backend service. Applications that use only fixed or trusted field names are not affected.
Root Cause
The library failed to apply the escaping rules defined by the WHATWG HTML multipart/form-data encoding algorithm. Browsers serialize CR, LF, and " characters as %0D, %0A, and %22 respectively. The Node.js implementation omitted this step, deviating from the browser behavior and exposing applications to header smuggling.
Attack Vector
An attacker submits a JSON payload or other structured input where keys are intended to become multipart field names. By embedding \r\n followed by a forged part boundary, the attacker appends a synthetic multipart section. The downstream parser then accepts the smuggled section as legitimate, allowing it to add or override fields such as authorization flags consumed by the backend.
No proof-of-concept exploit is publicly tracked at time of writing. See the GitHub Security Advisory GHSA-hmw2-7cc7-3qxx for technical details.
Detection Methods for CVE-2026-12143
Indicators of Compromise
- Outbound HTTP requests containing Content-Disposition headers with unexpected boundary markers or duplicated name= attributes.
- Backend application logs showing form fields that were not present in the original client request.
- Anomalous multipart bodies whose declared part count exceeds the number of fields originating from the front-end application.
Detection Strategies
- Inspect proxy and Web Application Firewall (WAF) logs for raw %0D%0A, literal CRLF, or unescaped " characters in request parameters that feed multipart field names.
- Audit dependency manifests (package.json, package-lock.json, yarn.lock) for form-data versions at or below 4.0.5, 3.0.4, or 2.5.5.
- Run Software Composition Analysis (SCA) tooling against build artifacts to flag vulnerable form-data releases.
Monitoring Recommendations
- Enable verbose request logging at API gateways that translate JSON keys into multipart field names.
- Correlate backend admin-state changes with originating multipart requests to identify unexpected field assignments.
- Track npm advisory feeds and GitHub security advisories for additional fix updates referencing GHSA-hmw2-7cc7-3qxx.
How to Mitigate CVE-2026-12143
Immediate Actions Required
- Upgrade form-data to version 4.0.6, 3.0.5, or 2.5.6 depending on the major version in use.
- Audit application code for any path where untrusted input becomes a multipart field name or filename.
- Where possible, refactor to use fixed, allowlisted field names instead of dynamic keys.
Patch Information
The maintainers released fixes in form-data versions 2.5.6, 3.0.5, and 4.0.6. The patch escapes CR, LF, and " as %0D, %0A, and %22 in field names and filenames, aligning with the WHATWG HTML multipart/form-data encoding algorithm. See the primary fix commit for implementation details.
Workarounds
- Validate and reject any user-supplied field name or filename containing \r, \n, or " before passing to FormData#append.
- Normalize JSON keys to an alphanumeric allowlist at the API gateway before constructing multipart requests.
- Apply WAF rules that block CRLF sequences in request parameters routed to multipart-handling endpoints.
# Upgrade form-data via npm to a patched release
npm install form-data@^4.0.6
# Verify resolved version across the dependency tree
npm ls form-data
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

