FKIE_CVE-2026-12143

Vulnerability from fkie_nvd - Published: 2026-06-12 19:16 - Updated: 2026-06-17 10:14
Severity
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.
References
7ffcee3d-2c14-4c3e-b844-86c6a321a158https://cwe.mitre.org/data/definitions/93.html
7ffcee3d-2c14-4c3e-b844-86c6a321a158https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435
7ffcee3d-2c14-4c3e-b844-86c6a321a158https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229
7ffcee3d-2c14-4c3e-b844-86c6a321a158https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045
7ffcee3d-2c14-4c3e-b844-86c6a321a158https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx
7ffcee3d-2c14-4c3e-b844-86c6a321a158https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data
7ffcee3d-2c14-4c3e-b844-86c6a321a158https://www.npmjs.com/package/form-data
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx
Impacted products
Vendor Product Version
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "collectionURL": "https://www.npmjs.com/package/form-data",
          "defaultStatus": "unaffected",
          "packageName": "form-data",
          "product": "form-data",
          "programFiles": [
            "lib/form_data.js"
          ],
          "repo": "https://github.com/form-data/form-data",
          "vendor": "form-data",
          "versions": [
            {
              "lessThan": "2.5.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.5",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.0.6",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (\") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `\"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6."
    }
  ],
  "id": "CVE-2026-12143",
  "lastModified": "2026-06-17T10:14:38.143",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.7,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-12143",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-06-12T19:04:40.604029Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-06-12T19:16:26.560",
  "references": [
    {
      "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
      "url": "https://cwe.mitre.org/data/definitions/93.html"
    },
    {
      "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
      "url": "https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435"
    },
    {
      "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
      "url": "https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229"
    },
    {
      "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
      "url": "https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045"
    },
    {
      "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
      "url": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx"
    },
    {
      "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
      "url": "https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data"
    },
    {
      "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
      "url": "https://www.npmjs.com/package/form-data"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx"
    }
  ],
  "sourceIdentifier": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-93"
        }
      ],
      "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.