CVE-2026-12143

Published: Giu 12, 2026 Last Modified: Giu 16, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 8,7
Source: 7ffcee3d-2c14-4c3e-b844-86c6a321a158
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
HIGH 7,5
Source: 7ffcee3d-2c14-4c3e-b844-86c6a321a158
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: none
Integrity: high
Availability: none

Description

AI Translation Available

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (') characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `'` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0005
Percentile
0,2th
Updated

EPSS Score Trend (Last 4 Days)

93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity
Potential Impacts:
Modify Application Data
Applicable Platforms
All platforms may be affected
View CWE Details
https://github.com/form-data/form-data/security/advisories/…
https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx
https://cwe.mitre.org/data/definitions/93.html
https://cwe.mitre.org/data/definitions/93.html
https://github.com/form-data/form-data/commit/64190db548c01…
https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf5…
https://github.com/form-data/form-data/commit/be3f3cf553978…
https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d3…
https://github.com/form-data/form-data/commit/c7133499c2ee1…
https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442b…
https://github.com/form-data/form-data/security/advisories/…
https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx
https://html.spec.whatwg.org/multipage/form-control-infrast…
https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipa…
https://www.npmjs.com/package/form-data
https://www.npmjs.com/package/form-data