chore(deps): update dependency multiparty to v4.3.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
multiparty	4.2.3 → 4.3.0

---

multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception

CVE-2026-8161 / GHSA-qxch-whhj-8956

More information

Details

Impact

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property (e.g., __proto__, constructor, toString), the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Any service accepting multipart uploads via multiparty is affected.

Patches

Users should upgrade to multiparty@4.3.0 or higher.

Workarounds

None.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956
• https://nvd.nist.gov/vuln/detail/CVE-2026-8161
• https://cna.openjsf.org/security-advisories.html
• https://github.com/pillarjs/multiparty/releases/tag/v4.3.0
• https://github.com/advisories/GHSA-qxch-whhj-8956

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing

CVE-2026-8162 / GHSA-xh3c-6gcq-g4rv

More information

Details

Impact

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition: filename*=utf-8'' header containing a malformed percent-encoding (e.g., %FF, %GG), the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Any service accepting multipart uploads via multiparty is affected.

Patches

Users should upgrade to multiparty@4.3.0 or higher.

Workarounds

None.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/pillarjs/multiparty/security/advisories/GHSA-xh3c-6gcq-g4rv
• https://nvd.nist.gov/vuln/detail/CVE-2026-8162
• https://cna.openjsf.org/security-advisories.html
• https://github.com/pillarjs/multiparty/releases/tag/v4.3.0
• https://github.com/advisories/GHSA-xh3c-6gcq-g4rv

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

multiparty vulnerable to ReDoS via filename parsing

CVE-2026-8159 / GHSA-65x3-rw7q-gx94

More information

Details

Impact

multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A multipart upload with a long header value containing !filename="1 repeated can cause regex matching to take seconds, blocking the event loop. Any service accepting multipart uploads via multiparty is affected.

Patches

Users should upgrade to multiparty@4.3.0 or higher.

Workarounds

None. Limiting upload sizes at the proxy/gateway layer reduces but does not eliminate the attack surface, since a small ~8 KB header is sufficient to trigger the vulnerable backtracking.

Resources

• OWASP: Regular expression Denial of Service (ReDoS)

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94
• https://nvd.nist.gov/vuln/detail/CVE-2026-8159
• https://cna.openjsf.org/security-advisories.html
• https://github.com/pillarjs/multiparty/releases/tag/v4.3.0
• https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
• https://github.com/advisories/GHSA-65x3-rw7q-gx94

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

pillarjs/multiparty (multiparty)

v4.3.0

Compare Source

Important: Security

• Security fix for CVE-CVE-2026-8162 (GHSA-xh3c-6gcq-g4rv)
• Security fix for CVE-2026-8161 (GHSA-qxch-whhj-8956)
• Security fix for CVE-CVE-2026-8159 (GHSA-65x3-rw7q-gx94)

Fixed

• Fix decoding filenames from Chrome/Firefox a786412
• Fix form parsing when no part event listener added cb2421f

---

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

📊 Benchmark results

Comparing with dfcc0a2

• Dependency count: 1,131 ⬇️ 0.27% decrease vs. dfcc0a2
• Package size: 379 MB ⬇️ 0.03% decrease vs. dfcc0a2
• Number of ts-expect-error directives: 355 (no change)