CVE-2026-12143
Received Received - Intake
CRLF Injection in form-data Library

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: harborist

Description
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-12143
EUVD
EUVD-2026-36524
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
form-data form-data 2.5.6
form-data form-data 3.0.5
form-data form-data 4.0.6
form-data form-data to 2.5.6 (exc)
form-data form-data From 3.0.0 (inc) to 3.0.5 (exc)
form-data form-data From 4.0.0 (inc) to 4.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12143 is a vulnerability in the form-data library used to create multipart/form-data streams. In affected versions, the library does not properly escape carriage return (CR), line feed (LF), or double-quote (") characters in field names or filenames when constructing the Content-Disposition header. This allows an attacker who can control these inputs to inject additional headers or multipart parts into the request forwarded to a backend.

This vulnerability is a form of CRLF injection (CWE-93), which can let attackers manipulate or add form fields, such as setting is_admin=true, potentially altering backend processing. The issue is fixed by escaping these special characters as %0D, %0A, and %22, matching browser behavior.

Exploitation requires the application to use untrusted input as field names or filenames; applications using only fixed or trusted field names are not affected.

Impact Analysis

This vulnerability can impact you by allowing an attacker to inject or override form fields in requests processed by your backend. For example, an attacker could set sensitive fields like is_admin=true, potentially escalating privileges or altering application behavior.

The main impact is on data integrity, as attackers can manipulate the content of multipart form submissions. There is no direct impact on confidentiality or availability attributed to this vulnerability.

The severity depends on whether your application uses untrusted input as field names or filenames in form-data. If only fixed or trusted field names are used, the risk is mitigated.

Detection Guidance

This vulnerability involves CRLF injection through unescaped carriage return (CR), line feed (LF), and double-quote characters in multipart/form-data field names or filenames. Detection involves monitoring or inspecting multipart/form-data requests for suspicious or malformed Content-Disposition headers that contain unexpected CR, LF, or quote characters.

You can detect potential exploitation attempts by capturing HTTP requests and searching for multipart/form-data headers containing CR or LF characters or unusual header injections.

Example commands to detect suspicious requests might include:

  • Using tcpdump or tshark to capture HTTP traffic and filter for multipart/form-data content:
  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'Content-Disposition'
  • Using grep or similar tools on web server logs to find suspicious field names or filenames containing CR (\r) or LF (\n) characters or encoded equivalents (%0D, %0A):
  • grep -P '\r|\n|%0D|%0A' /var/log/nginx/access.log
  • Review application logs or proxy logs for multipart/form-data requests with injected headers or additional parts.

Note that detection effectiveness depends on the ability to inspect raw HTTP requests and the presence of untrusted input used as field names or filenames.

Mitigation Strategies

To mitigate this vulnerability, the primary step is to upgrade the form-data library to a fixed version where the issue is resolved. The patched versions are 2.5.6, 3.0.5, and 4.0.6, which properly escape carriage return (CR), line feed (LF), and double-quote characters in field names and filenames.

If immediate upgrading is not possible, a temporary workaround is to validate or reject any field names or filenames that contain control characters such as CR, LF, or double quotes before passing them to FormData#append().

Additionally, review your application to ensure it does not use untrusted input as multipart field names or filenames, as exploitation requires attacker-controlled input in these fields.

Implement monitoring to detect suspicious multipart/form-data requests that may attempt header injection or multipart smuggling.

Compliance Impact

CVE-2026-12143 is a CRLF injection vulnerability that allows attackers to inject or manipulate form fields and headers by exploiting unescaped carriage return, line feed, and double-quote characters in multipart/form-data streams.

This vulnerability primarily impacts data integrity by enabling attackers to override or add form fields (e.g., setting is_admin=true) seen by downstream parsers, potentially leading to unauthorized access or privilege escalation.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the integrity impact and potential unauthorized data manipulation could indirectly affect compliance by violating principles of data accuracy, security, and access control mandated by these regulations.

Organizations using vulnerable versions of the form-data library and passing untrusted input as field names or filenames may risk non-compliance if attackers exploit this vulnerability to alter data or gain unauthorized privileges.

Mitigation involves updating to patched versions (2.5.6, 3.0.5, 4.0.6) that properly escape special characters, or validating/rejecting untrusted input before use, thereby reducing the risk of injection attacks and helping maintain compliance with data protection standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12143. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart