Npm · Multipart · CVE-2026-8161
**Name of the Vulnerable Software and Affected Versions**
multiparty versions 4.2.3 and earlier
**Description**
A denial of service occurs when a multipart/form-data request is sent with a field name that collides with an inherited Object.prototype property, such as ` proto `, `constructor`, or `toString`. This causes the parser to invoke the `.push()` function on the inherited prototype value instead of an array, resulting in a TypeError that triggers an uncaught exception and crashes the process. This issue affects any service that accepts multipart uploads via multiparty.
**Recommendations**
Update to version 4.3.0 or higher.