CVE-2026-8159 Overview
CVE-2026-8159 is a Regular Expression Denial of Service (ReDoS) vulnerability in the multiparty Node.js module, a widely used library for parsing multipart form data. Versions 4.2.3 and earlier contain a vulnerable regular expression in the Content-Disposition filename parameter parser. Attackers can submit a crafted multipart upload with a long header value to trigger catastrophic backtracking, causing regex matching to consume seconds of CPU time and block the Node.js event loop. Any service that accepts multipart uploads through multiparty is affected. The issue is tracked under [CWE-1333] and resolved in multiparty@4.3.0.
Critical Impact
A single unauthenticated HTTP request with a header of approximately 8 KB can stall the Node.js event loop, denying service to all concurrent users.
Affected Products
- pillarjs/multiparty versions 4.2.3 and earlier
- Node.js applications and services accepting multipart uploads via multiparty
- Express and Connect-based web frameworks using multiparty as a body parser
Discovery Timeline
- 2026-05-12 - CVE-2026-8159 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-8159
Vulnerability Analysis
The vulnerability is a Regular Expression Denial of Service ([CWE-1333]) in the parser responsible for extracting the filename parameter from the Content-Disposition header of multipart uploads. The regex used to match the filename value contains overlapping quantifiers that produce catastrophic backtracking when fed adversarial input. A header value of roughly 8 KB is enough to push regex evaluation into multi-second execution times.
Because Node.js is single-threaded, blocking the event loop halts every concurrent request handled by the same process. An attacker can repeatedly send crafted requests to exhaust CPU capacity across worker processes and render the service unavailable. No authentication, user interaction, or special privileges are required.
Root Cause
The filename parameter parser uses a regular expression that allows ambiguous matches on quoted and unquoted filename values. When the input does not cleanly terminate, the regex engine explores an exponential number of backtracking paths. The fix in multiparty@4.3.0 rewrites the pattern to remove the ambiguity and bound execution time.
Attack Vector
An attacker sends an HTTP request with Content-Type: multipart/form-data to any endpoint that invokes multiparty to parse the request body. The crafted Content-Disposition header contains a long filename value designed to trigger backtracking. The vulnerability manifests during header parsing, before any file content is read, so attackers do not need to upload an actual file. See the GitHub Security Advisory GHSA-65x3-rw7q-gx94 and the OWASP ReDoS Attack Analysis for technical details on the pattern and exploitation class.
Detection Methods for CVE-2026-8159
Indicators of Compromise
- Inbound HTTP requests with Content-Type: multipart/form-data containing Content-Disposition headers larger than typical filename values (multiple kilobytes).
- Node.js processes showing sustained CPU saturation on a single core correlated with multipart upload endpoints.
- Event loop lag metrics spiking into the seconds range during upload traffic.
Detection Strategies
- Inspect HTTP traffic at the proxy or WAF layer for Content-Disposition filename parameters exceeding a reasonable length threshold such as 1 KB.
- Monitor Node.js runtime metrics for event loop blocking using perf_hooks.monitorEventLoopDelay or APM instrumentation.
- Audit application dependency manifests (package.json, package-lock.json, yarn.lock) for multiparty versions at or below 4.2.3.
Monitoring Recommendations
- Alert on request rates to multipart upload endpoints that correlate with rising p99 latency or 5xx error rates.
- Track per-request CPU time on upload handlers and flag outliers exceeding 500 ms.
- Log and review oversized request headers at the reverse proxy or load balancer.
How to Mitigate CVE-2026-8159
Immediate Actions Required
- Upgrade multiparty to version 4.3.0 or higher in all affected applications.
- Rebuild and redeploy container images and serverless bundles that vendor multiparty transitively.
- Apply request size and header length limits at the upstream proxy, load balancer, or API gateway.
Patch Information
The vendor released a fix in multiparty@4.3.0 that rewrites the Content-Disposition filename parser to eliminate catastrophic backtracking. Refer to the GitHub Security Advisory GHSA-65x3-rw7q-gx94 and the OpenJSF Security Advisories for full remediation guidance.
Workarounds
- Limit maximum request header size at the proxy layer, though this only reduces the attack surface since headers near 8 KB still trigger the issue.
- Run multipart parsing inside a worker thread or child process to isolate event loop stalls from the main request handler.
- Add a timeout-based circuit breaker around multiparty invocation to abort requests that exceed expected parse time.
# Upgrade multiparty to the patched version
npm install multiparty@^4.3.0
# Verify the resolved version in the dependency tree
npm ls multiparty
# Audit for known advisories
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
