CVE-2026-12143

Name of the Vulnerable Software and Affected Versions form-data versions prior to 2.5.6 form-data versions prior to 3.0.5 form-data versions prior to 4.0.6

Description The field argument to FormData#append and the filename option are concatenated verbatim into the Content-Disposition header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. This allows an attacker to perform CRLF injection (Carriage Return Line Feed injection), which is the process of inserting special characters to manipulate the structure of an HTTP header. If an application uses untrusted input as a field name or filename, an attacker can terminate the header line to inject additional headers or smuggle entire multipart parts into the request forwarded to a backend. This can enable the attacker to add or override form fields, such as setting is admin=true, as seen by the downstream parser.

Recommendations Update to version 2.5.6. Update to version 3.0.5. Update to version 4.0.6.