CVE-2026-8161 Overview
CVE-2026-8161 is a denial-of-service vulnerability in the multiparty Node.js module maintained by pillarjs. Versions 4.2.3 and lower mishandle multipart form field names that collide with inherited Object.prototype properties. An unauthenticated remote attacker can crash the Node.js process by submitting a crafted multipart/form-data request. The flaw is tracked under [CWE-248: Uncaught Exception]. Any HTTP service that accepts multipart uploads through multiparty is affected.
Critical Impact
A single crafted multipart request triggers an uncaught TypeError that terminates the Node.js process, taking the application offline without authentication or user interaction.
Affected Products
- pillarjs multiparty versions 4.2.3 and earlier
- Node.js applications consuming multipart/form-data via multiparty
- Express, Connect, and other HTTP frameworks using multiparty as an upload parser
Discovery Timeline
- 2026-05-12 - CVE-2026-8161 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-8161
Vulnerability Analysis
The vulnerability stems from how multiparty aggregates multipart form fields keyed by name. The parser stores incoming field values in an object and calls .push() on the entry that matches the field name. When the field name matches an inherited Object.prototype property such as __proto__, constructor, or toString, lookup resolves to the prototype value instead of an array. Calling .push() on a non-array prototype member throws a TypeError. Because the throw occurs inside an asynchronous parsing callback, it propagates as an uncaught exception and terminates the Node.js process.
Root Cause
The root cause is unsafe property access on a plain JavaScript object without a null prototype or hasOwnProperty guard. The parser assumes any key lookup either returns undefined or an array it previously created. Inherited prototype members violate that assumption. The bug is classified as [CWE-248] uncaught exception rather than prototype pollution, since the attacker controls the crash path rather than the prototype state.
Attack Vector
Exploitation requires only network access to an endpoint that parses multipart requests. An attacker sends a multipart/form-data body containing a field whose name parameter in the Content-Disposition header is set to __proto__, constructor, or toString. The parser then invokes .push() against the inherited prototype value and crashes. No authentication, user interaction, or prior knowledge of application internals is required. Repeated requests can keep a restarted process in a continuous crash loop.
Detection Methods for CVE-2026-8161
Indicators of Compromise
- HTTP requests with Content-Type: multipart/form-data containing a part whose Content-Disposition declares name="__proto__", name="constructor", or name="toString"
- Application logs showing TypeError: ... .push is not a function originating in multiparty/index.js
- Sudden Node.js process exits or container restarts correlated with inbound upload traffic
- Process supervisor (pm2, systemd, Kubernetes) restart events tied to multipart endpoints
Detection Strategies
- Inspect web server and reverse proxy logs for multipart field names matching prototype property strings
- Deploy a WAF rule that blocks multipart parts whose Content-Dispositionname equals __proto__, constructor, or toString
- Audit package-lock.json and npm ls multiparty output across services to identify vulnerable versions at or below 4.2.3
- Correlate uncaught exception telemetry from APM tools with multipart upload endpoints
Monitoring Recommendations
- Alert on repeated Node.js process crashes within short time windows on the same service
- Monitor for spikes in 5xx responses or connection resets at upload endpoints
- Track dependency drift using software composition analysis (SCA) tooling to flag multiparty < 4.3.0
- Enable structured logging of unhandled exceptions and ship them to a central SIEM for correlation
How to Mitigate CVE-2026-8161
Immediate Actions Required
- Upgrade multiparty to version 4.3.0 or later in all affected services
- Inventory transitive dependencies, since frameworks may pull multiparty indirectly
- Deploy a temporary WAF or reverse proxy rule rejecting multipart parts named __proto__, constructor, or toString
- Add a global uncaughtException handler that logs and gracefully restarts workers to limit crash-loop impact
Patch Information
The maintainers released multiparty@4.3.0 with a fix that validates field names against inherited prototype properties before invoking array operations. Refer to the GitHub Security Advisory GHSA-qxch-whhj-8956 and the OpenJS Foundation Security Advisories for full remediation details.
Workarounds
- No code-level workaround exists within multiparty@4.2.3 and earlier; upgrading is required
- As a stopgap, place a WAF, API gateway, or middleware in front of the application to drop requests containing prototype-named multipart fields
- Run Node.js workers under a supervisor that rate-limits restarts to mitigate sustained crash-loop attacks
# Configuration example
npm install multiparty@^4.3.0
npm ls multiparty
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
