CVE-2026-8161

Name of the Vulnerable Software and Affected Versions multiparty versions 4.2.3 and earlier

Description A denial of service occurs when a multipart/form-data request is sent with a field name that collides with an inherited Object.prototype property, such as proto, constructor, or toString. This causes the parser to invoke the .push() function on the inherited prototype value instead of an array, resulting in a TypeError that triggers an uncaught exception and crashes the process. This issue affects any service that accepts multipart uploads via multiparty.

Recommendations Update to version 4.3.0 or higher.