|
Vulnerabilities
< Back

CVE-2026-8161

Updated on 12 May 2026

Severity

7.5 High severity

Details

CVSS score
7.5
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

[email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as proto, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to [email protected] or higher.

Details

Affected product:
Express , connect , loopback , multiparty , strong-remoting
Affected packages:
multiparty @ 3.3.2 (+9 more)
[email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as proto, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to [email protected] or higher.