PatchSiren cyber security CVE debrief
CVE-2026-12143 form-data CVE debrief
CVE-2026-12143 is a high-severity vulnerability (CVSS Score: 8.7) affecting the form-data library, which is used to create readable multipart/form-data streams. The vulnerability allows an attacker to inject additional headers or smuggle entire additional multipart parts into a request by exploiting the `field` argument in `FormData#append` and the `filename` option. This is possible because the library does not properly escape carriage return (CR), line feed (LF), and double-quote (”) characters in field names and filenames. The vulnerability was fixed in versions 2.5.6, 3.0.5, and 4.0.6 of the form-data library.
- Vendor
- form-data
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Developers and administrators who use the form-data library in their applications, especially those that handle multipart/form-data requests, should be aware of this vulnerability. Applications that use untrusted input as field names or filenames are particularly vulnerable.
Technical summary
The form-data library does not properly escape CR, LF, and ” characters in field names and filenames, allowing attackers to terminate the header line and inject additional headers or smuggle multipart parts. The fix escapes these characters as `%0D`, `%0A`, and `%22` in field names and filenames.
Defensive priority
High
Recommended defensive actions
- Update the form-data library to version 2.5.6, 3.0.5, or 4.0.6, or later.
- Validate and sanitize user input to prevent malicious field names and filenames.
- Use trusted input for field names and filenames whenever possible.
Evidence notes
The CVE-2026-12143 vulnerability was reported and fixed by the form-data library maintainers. The vulnerability is classified as CWE-93 (CRLF Injection).
Official resources
-
CVE-2026-12143 CVE record
CVE.org
-
CVE-2026-12143 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
7ffcee3d-2c14-4c3e-b844-86c6a321a158
-
Source reference
7ffcee3d-2c14-4c3e-b844-86c6a321a158
-
Source reference
7ffcee3d-2c14-4c3e-b844-86c6a321a158
-
Source reference
7ffcee3d-2c14-4c3e-b844-86c6a321a158
-
Source reference
7ffcee3d-2c14-4c3e-b844-86c6a321a158
-
Source reference
7ffcee3d-2c14-4c3e-b844-86c6a321a158
-
Source reference
7ffcee3d-2c14-4c3e-b844-86c6a321a158
CVE-2026-12143 was published on 2026-06-12T19:16:26.560Z and modified on 2026-06-12T20:16:44.800Z.