Denial of Service in multiparty Product by PillarJS
CVE-2026-8159

7.5HIGH

Key Information:

Vendor: Multiparty
Status: Multiparty
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-8159?

The multiparty package, used for handling multipart uploads, is susceptible to exploitation through a denial of service attack. This vulnerability arises when a crafted multipart upload with an excessively long header value triggers excessive regular expression backtracking in the Content-Disposition filename parameter parser, causing the event loop to block for extended periods. As a result, any service accepting multipart uploads via this library can experience service degradation. It is recommended to upgrade to multiparty version 4.3.0 or later to mitigate this vulnerability. Limiting upload sizes at the proxy or gateway can offer some protection, though even small header values may still lead to blocking.

Affected Version(s)

multiparty 0 <= 4.2.3

multiparty 4.3.0

References

https://github.com/pillarjs/multiparty/security/advisorie...

https://owasp.org/www-community/attacks/Regular_expressio...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 8, 2026

Credit

aszx87410

Blake Embrey

Ulises Gascón

CVE-2026-8159 Data

JSON

Multiparty

What is CVE-2026-8159?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit