Ljharb

**Name of the Vulnerable Software and Affected Versions** form-data versions prior to 2.5.6 form-data versions prior to 3.0.5 form-data versions prior to 4.0.6 **Description** The `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. This allows an attacker to perform CRLF injection (Carriage Return Line Feed injection), which is the process of inserting special characters to manipulate the structure of an HTTP header. If an application uses untrusted input as a field name or filename, an attacker can terminate the header line to inject additional headers or smuggle entire multipart parts into the request forwarded to a backend. This can enable the attacker to add or override form fields, such as setting `is admin=true`, as seen by the downstream parser. **Recommendations** Update to version 2.5.6. Update to version 3.0.5. Update to version 4.0.6.