form-data does not escape CR/LF/quote in multipart field names and...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

AI Analysis

CRLF injection vulnerability in form-data library through 4.0.5, allowing attackers to inject additional headers or smuggle multipart parts into requests

Basic Information

ID CVE-2026-12143

Source harborist

Published Jun 12, 2026 at 18:01

Modified Jun 12, 2026 at 19:04

Affected Product

Vendor form-data

Product form-data

Affected Versions form-data form-data 0
form-data form-data 3.0.0
form-data form-data 4.0.0

CWE Classification

CWE-93

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor form-data

Product form-data

Version 0, 3.0.0, 4.0.0, 4.0.5

References

{
    "lastseen": "",
    "description": "form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (\") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `\"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.",
    "published": "2026-06-12T18:01:30.362Z",
    "modified": "2026-06-12T19:04:44.024Z",
    "type": "cve",
    "title": "form-data does not escape CR/LF/quote in multipart field names and filenames (CRLF injection)",
    "source": "harborist",
    "references": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx\nhttps://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435\nhttps://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229\nhttps://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045\nhttps://www.npmjs.com/package/form-data\nhttps://cwe.mitre.org/data/definitions/93.html\nhttps://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data",
    "id": "CVE-2026-12143",
    "bulletinFamily": "",
    "cwe": [
        "CWE-93"
    ],
    "cvelist": null,
    "sourceData": "form-data form-data 0\nform-data form-data 3.0.0\nform-data form-data 4.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "form-data",
    "version": "0",
    "vendor": "form-data",
    "ai_description": "CRLF injection vulnerability in form-data library through 4.0.5, allowing attackers to inject additional headers or smuggle multipart parts into requests",
    "ai_severity": "High",
    "ai_vendor": "form-data",
    "ai_product": "form-data",
    "ai_version": "0, 3.0.0, 4.0.0, 4.0.5",
    "ai_score": 8.7
}

form-data does not escape CR/LF/quote in multipart field names and filenames (CRLF injection)_CVE-2026-12143