Vulnerability Description
[email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to [email protected] or higher.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pillarjs | Multiparty | < 4.3.0 |
Related Weaknesses (CWE)
References
- https://cna.openjsf.org/security-advisories.htmlThird Party Advisory
- https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94MitigationVendor Advisory
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_RNot Applicable
FAQ
What is CVE-2026-8159?
CVE-2026-8159 is a vulnerability with a CVSS score of 7.5 (HIGH). [email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long...
How severe is CVE-2026-8159?
CVE-2026-8159 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-8159?
Check the references section above for vendor advisories and patch information. Affected products include: Pillarjs Multiparty.