CVE-2026-12143: form-data: CRLF injection in form-data via unescaped multipart field names and filenames
form-data builds multipart/form-data request bodies. Through v4.0.5, the field name passed to FormData#append and the filename option are concatenated directly into the Content-Disposition header with no escaping of CR (\r), LF (\n), or ". An application that uses untrusted input as a field name or filename therefore lets an attacker terminate the header line and either inject additional headers or smuggle whole additional multipart parts into the request the application forwards to a backend.
This is CWE-93 (CRLF injection). It is a divergence from how browsers and the WHATWG HTML spec serialize form-data (they escape these characters), so the fix is to match that behavior. Severity is conditional: it depends on the consuming application passing attacker-controlled data as a field name or filename. Applications that only use fixed/trusted field names are not affected.
References
- github.com/advisories/GHSA-hmw2-7cc7-3qxx
- github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435
- github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229
- github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045
- github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx
- html.spec.whatwg.org/multipage/form-control-infrastructure.html
- nvd.nist.gov/vuln/detail/CVE-2026-12143
- www.npmjs.com/package/form-data
Code Behaviors & Features
Detect and mitigate CVE-2026-12143 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →