CVE-2026-8161

multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception

CVSS 7.5 HIGHEPSS 0.5%CWE-1321 CWE-248

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 7.5EPSS 0.5%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

11 May 2026Public PoC

12 May 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

multiparty · multiparty

public PoCs found — 1

githubgithub.com/Ser0n-ath/multiparty-CVE-2026-8161★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cna.openjsf.org/security-advisories.html https://github.com/pillarjs/multiparty/security/advisories/GHSA-qxch-whhj-8956