- Package:
- src:node-form-data
- Source:
- src:node-form-data
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-24 08:51:01 UTC
- Severity:
- normal
- Tags:
Hi,
The following vulnerability was published for node-form-data.
CVE-2026-12143[0]:
| form-data is a library for creating readable multipart/form-data
| streams. In versions through 4.0.5, the `field` argument to
| `FormData#append` and the `filename` option are concatenated
| verbatim into the `Content-Disposition` header without escaping
| carriage return (CR), line feed (LF), or double-quote (")
| characters. An application that passes attacker-controlled data as a
| field name or filename (for example, an API gateway that turns JSON
| object keys into multipart field names) allows the attacker to
| terminate the header line and inject additional headers, or to
| smuggle entire additional multipart parts, into the request the
| application forwards to a backend. This can let the attacker add or
| override form fields (e.g. set `is_admin=true`) seen by the
| downstream parser. This is an instance of CWE-93 (CRLF injection).
| The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field
| names and filenames, matching the serialization browsers use per the
| WHATWG HTML multipart/form-data encoding algorithm. Exploitation
| requires the consuming application to use untrusted input as a field
| name or filename; applications that use only fixed/trusted field
| names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-12143
https://www.cve.org/CVERecord?id=CVE-2026-12143
[1] https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Hello, Bug #1139959 in node-form-data reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/js-team/node-form-data/-/commit/a9ca2188ce4b902fda7c8860edc6fc3700993da2 (this message was generated automatically) -- Greetings https://bugs.debian.org/1139959
Hello, Bug #1139959 in node-form-data reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/js-team/node-form-data/-/commit/a9ca2188ce4b902fda7c8860edc6fc3700993da2 (this message was generated automatically) -- Greetings https://bugs.debian.org/1139959
We believe that the bug you reported is fixed in the latest version of node-form-data, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1139959@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard <yadd@debian.org> (supplier of updated node-form-data package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Wed, 24 Jun 2026 10:27:15 +0200 Source: node-form-data Architecture: source Version: 4.0.6+~2.1.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org> Changed-By: Xavier Guimard <yadd@debian.org> Closes: 1139959 Changes: node-form-data (4.0.6+~2.1.0-1) unstable; urgency=medium . * Team upload * Declare compliance with policy 4.7.4 * New upstream version (Closes: #1139959, CVE-2026-12143) Checksums-Sha1: b6c067896ed7d04a2c39a738efd17e80444a50c3 2589 node-form-data_4.0.6+~2.1.0-1.dsc 7fa1bd307044f7d678f0de318f06df2a756e9a94 7160 node-form-data_4.0.6+~2.1.0.orig-es-set-tostringtag.tar.gz 20a260551314be1d09125751ab342ce0f631133b 62154 node-form-data_4.0.6+~2.1.0.orig.tar.gz f0c597471b51e024fdbf496eb285b903037ad05a 9924 node-form-data_4.0.6+~2.1.0-1.debian.tar.xz Checksums-Sha256: 94bdded78fc4c13fc0394ad829752659da50c47fb01dfcdc9c0c211f1c61cf00 2589 node-form-data_4.0.6+~2.1.0-1.dsc 76e10cc4411e9ebcab6c3e31a88d13ce67247a325df83780ee74e208acd5ae39 7160 node-form-data_4.0.6+~2.1.0.orig-es-set-tostringtag.tar.gz d2dd6e12b2cdcdf1f4e0c47dd2da5882af6197c97467f7b34be8f2deeede53c5 62154 node-form-data_4.0.6+~2.1.0.orig.tar.gz 38f0495a21551a686b0b0d8d0375da31ecb4eef74cd579225cc8d56860e17732 9924 node-form-data_4.0.6+~2.1.0-1.debian.tar.xz Files: d98376736fc424ff6edc6169e3264e12 2589 javascript optional node-form-data_4.0.6+~2.1.0-1.dsc 7f9fa9e1fec55df4c05c87c7168921fe 7160 javascript optional node-form-data_4.0.6+~2.1.0.orig-es-set-tostringtag.tar.gz deb3266520e13239350c247454ced1ec 62154 javascript optional node-form-data_4.0.6+~2.1.0.orig.tar.gz 4e7aa9809603d2efbd77151080933cf0 9924 javascript optional node-form-data_4.0.6+~2.1.0-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmo7lR8ACgkQ9tdMp8mZ 7ulQIQ/9Fo84tP997pdb2mBnXrEKKkksMnFkh8SrizdAYUH4LKbvpSDR/CAlpQMs WJV8PIeoQ/6kYmFxHYrlJfNZD4/PYdfZUYYy8/gMfUvMuu2a6Nwx3S2njB/bfg1x PdGTk98PoQSY2I3I4DEnXA+ovEWopV6cHdaKr8t1SisuM9ZEYzYXKLepljMEV8K+ uIeGJUVjzhJ8+PDbjV+KB0tCYeWWYVSrFs+XMjIvQXEOXbqj0L/nrPYvLXz26D9a SB68icX0A+CEQ5rQ1gTnJVpcdqmr04njXLBvsF2FBPtWefXNOYyjalhWPiw6nfxg MA1CNgIuWeJB8pXqTSKIVS2nZhWFeZbcskrtKondGn9qbGg5IXAhyGlnxupfNVXV PHGuz/03ivNqg6frMup4htYkPCU/yUqQ7P/vjYtv2g9H0xWpSFHGEPj9d2yYmAP8 exZRfWK1ULNkSVrqXh8xxYYI+hUtHGKW75wn4qGWUtiGt4ZvPlDeEq0jstcyct9B OZD2j3sdmroUZbptfhv3whn4C2jthMJQmqeBbb/IDOJYw1oA9Najxr5xvmYSBaUe JdXUFGLv1j63XsEvoqVzIA+PWFqYut4h1bt/KyF3vVYr/yBAu5p+dIQ/Srr0CzUN ozQrVv4WCTpuXAmNB4mL+BNQDBSDnMAdYIzeZRdWCnx6pfi/csk= =tyTf -----END PGP SIGNATURE-----