CVE-2026-8161

multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception

CVSS 7.5 HIGHEPSS 0.5%CWE-1321 CWE-248

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

multiparty · multiparty

public PoCs found — 1

githubgithub.com/Ser0n-ath/multiparty-CVE-2026-8161★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cna.openjsf.org/security-advisories.html https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956