CVE-2026-12143

EPSS 0.33%
Veröffentlicht 12.06.2026 18:01:30
Zuletzt bearbeitet 16.06.2026 15:42:57
Quelle 7ffcee3d-2c14-4c3e-b844-86c6a3
CVE-Watchlists
Login
Unerledigt
Login

form-data does not escape CR/LF/quote in multipart field names and filenames (CRLF injection)

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 10

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerform-data

≫

Produkt form-data

Default Statusunaffected

Version 0

Version < 2.5.6

Status affected

Version 3.0.0

Version < 3.0.5

Status affected

Version 4.0.0

Version < 4.0.6

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.33%	0.241

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
7ffcee3d-2c14-4c3e-b844-86c6a321a158	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
7ffcee3d-2c14-4c3e-b844-86c6a321a158	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx

https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435

https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229

https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045

https://www.npmjs.com/package/form-data

https://cwe.mitre.org/data/definitions/93.html

https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data

https://nvd.nist.gov/vuln/detail/CVE-2026-12143

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-12143

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-12143

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-12143