CVE-2026-12143

June 12, 2026, 8:16 p.m.

8.7
High

Description

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

Product(s) Impacted

Vendor Product Versions
Form-data
  • Form-data
  • <4.0.6

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a form-data form-data <4.0.6 / / / / / / /

References

https://cwe.mitre.org/data/definitions/93.html
https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435
https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229
https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045
https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx
https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data
https://www.npmjs.com/package/form-data
https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx

Tags

CWE-93
7ffcee3d-2c14-4c3e-b844-86c6a321a158
2026-06-12
CVE-2026-12143

CVSS Score

8.7 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: June 12, 2026, 7:16 p.m.
Last Modified: June 12, 2026, 8:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

7ffcee3d-2c14-4c3e-b844-86c6a321a158

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.