CVE-2026-8162 Overview
CVE-2026-8162 affects the multiparty Node.js module versions 4.2.3 and earlier. The library is widely used to parse multipart/form-data HTTP requests, including file uploads. Attackers can crash any process accepting multipart uploads by sending a single crafted request. The flaw stems from an uncaught URIError raised by decodeURI when processing a malformed filename* parameter in a Content-Disposition header. Maintainers addressed the issue in multiparty@4.3.0.
Critical Impact
Unauthenticated remote attackers can crash any HTTP service that accepts multipart uploads through multiparty, producing a denial of service with a single request.
Affected Products
- pillarjs/multiparty versions 4.2.3 and lower
- Node.js applications consuming multiparty as a direct dependency
- Express, Connect, and other frameworks using multiparty for upload handling
Discovery Timeline
- 2026-05-12 - CVE-2026-8162 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-8162
Vulnerability Analysis
The vulnerability is an Improper Handling of Exceptional Conditions [CWE-755] flaw in the multiparty multipart parser. When parsing a Content-Disposition header, the parser extracts the filename* parameter, which follows RFC 5987 percent-encoding rules. The parser passes that value directly to decodeURI without wrapping the call in try/catch.
If the percent-encoded sequence is malformed, decodeURI throws a URIError. The exception escapes the request handler and propagates to the Node.js event loop. Without an uncaughtException listener, the Node.js process terminates. A single unauthenticated HTTP request is sufficient to crash the worker, producing a denial of service across the affected service.
Root Cause
The root cause is missing exception handling around a parser routine that processes untrusted input. The decodeURI function rejects malformed percent-encoding by throwing, and the multiparty header parser did not anticipate that failure mode. Because Node.js terminates on uncaught exceptions by default, the parsing error escalates to a full process crash.
Attack Vector
Exploitation requires only network access to any endpoint that hands incoming multipart/form-data requests to multiparty. The attacker sends a POST request containing a Content-Disposition header with a filename* value that includes an invalid percent-encoded sequence, such as a lone % or %ZZ. The parser invokes decodeURI on the value, the call throws, and the process exits. No authentication, user interaction, or privileged access is required. See the GitHub Security Advisory GHSA-xh3c-6gcq-g4rv for additional technical detail.
Detection Methods for CVE-2026-8162
Indicators of Compromise
- Repeated unexpected Node.js process exits or worker restarts correlated with inbound multipart/form-data requests
- HTTP request logs containing Content-Disposition headers with malformed filename* values, such as filename*=UTF-8''% or stray percent characters
- Stack traces in application logs referencing URIError: URI malformed originating from multiparty header parsing
Detection Strategies
- Inventory all Node.js services and identify those with multiparty@<=4.2.3 in package-lock.json or yarn.lock using npm ls multiparty
- Configure a web application firewall (WAF) rule to flag Content-Disposition headers containing invalid percent-encoding sequences
- Enable Node.js process.on('uncaughtException') logging to capture URIError events with full stack traces for forensic review
Monitoring Recommendations
- Alert on abnormal rates of process restarts, container OOM/crash events, or load balancer health-check failures on upload-handling services
- Monitor HTTP 5xx response spikes correlated with multipart/form-data content types
- Track outbound dependency advisories from the OpenJS Foundation Security Advisories feed for further multiparty updates
How to Mitigate CVE-2026-8162
Immediate Actions Required
- Upgrade multiparty to version 4.3.0 or later in every affected service
- Run npm audit or yarn audit across all Node.js projects and remediate any flagged multiparty advisories
- Restart all Node.js workers after upgrading to ensure the patched module is loaded into memory
- Deploy a WAF rule to drop requests with malformed filename* percent-encoding until patches are applied
Patch Information
The multiparty maintainers fixed the issue in version 4.3.0 by wrapping the decodeURI call in a try/catch block and rejecting the offending parameter rather than throwing. Refer to the GitHub Security Advisory GHSA-xh3c-6gcq-g4rv for the official remediation guidance.
Workarounds
- No vendor-supplied workaround exists; upgrading to multiparty@4.3.0 is the only complete fix
- As a temporary compensating control, place a reverse proxy or WAF in front of the application to reject requests with malformed Content-Disposition percent-encoding
- Add a global process.on('uncaughtException') handler to keep workers alive, with the understanding that this does not address the underlying parsing flaw
# Upgrade multiparty to the patched release
npm install multiparty@^4.3.0 --save
# Verify the resolved version across the dependency tree
npm ls multiparty
# Audit the project for related advisories
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
