Register | Log in

node-form-data

Create multipart/form-data streams module for Node.js

Choose email to subscribe with

general

source: node-form-data (main)
version: 4.0.5+~2.1.0-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Jérémy Lal [DMD]
arch: all
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.0.0-2
o-o-sec: 3.0.0-2+deb11u1
oldstable: 4.0.0-1+deb12u1
stable: 4.0.1-2
testing: 4.0.5+~2.1.0-1
unstable: 4.0.5+~2.1.0-1

versioned links

3.0.0-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.0.0-2+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.0-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.0.5+~2.1.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-form-data

action needed

A new upstream version is available: 4.0.6+~2.1.0 high

A new upstream version 4.0.6+~2.1.0 is available, you should consider packaging it.

Created: 2026-06-13 Last update: 2026-06-14 10:30

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2026-12143: form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

Created: 2026-06-13 Last update: 2026-06-14 08:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2026-12143: form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

Created: 2026-06-13 Last update: 2026-06-14 08:30

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-12143: form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

Created: 2026-06-13 Last update: 2026-06-14 08:30

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2026-12143: form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

Created: 2026-06-13 Last update: 2026-06-14 08:30

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2026-12143: form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

Created: 2026-06-13 Last update: 2026-06-14 08:30

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 0af29f41d0e873ee88316599a6ab5d900aeb5839
Author: Xavier Guimard <yadd@debian.org>
Date:   Tue Apr 28 11:33:21 2026 +0200

    Declare compliance with policy 4.7.4

Created: 2026-04-28 Last update: 2026-06-08 14:00

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-09-24 Last update: 2025-09-24 10:02

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-03-31 15:01

news

[2026-03-24] node-form-data 4.0.5+~2.1.0-1 MIGRATED to testing (Debian testing watch)
[2026-03-21] Accepted node-form-data 4.0.5+~2.1.0-1 (source) into unstable (Xavier Guimard)
[2025-09-29] node-form-data 4.0.4+~2.1.0-1 MIGRATED to testing (Debian testing watch)
[2025-09-15] Accepted node-form-data 4.0.4+~2.1.0-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2025-08-22] Accepted node-form-data 4.0.0-1+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2025-07-31] Accepted node-form-data 3.0.0-2+deb11u1 (source) into oldstable-security (Chris Lamb)
[2025-07-31] node-form-data 4.0.1-2 MIGRATED to testing (Debian testing watch)
[2025-07-24] Accepted node-form-data 4.0.1-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-10-16] node-form-data 4.0.1-1 MIGRATED to testing (Debian testing watch)
[2024-10-14] Accepted node-form-data 4.0.1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-07-20] node-form-data 4.0.0-1 MIGRATED to testing (Debian testing watch)
[2022-07-17] Accepted node-form-data 4.0.0-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-12-30] node-form-data 3.0.1-1 MIGRATED to testing (Debian testing watch)
[2021-12-28] Accepted node-form-data 3.0.1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-09-18] node-form-data 3.0.0-4 MIGRATED to testing (Debian testing watch)
[2021-09-15] Accepted node-form-data 3.0.0-4 (source) into unstable (Jelmer Vernooĳ) (signed by: Jelmer Vernooij)
[2021-08-28] Accepted node-form-data 3.0.0-3 (source all) into unstable (Jelmer Vernooĳ) (signed by: Jelmer Vernooij)
[2019-12-28] node-form-data 3.0.0-2 MIGRATED to testing (Debian testing watch)
[2019-12-25] Accepted node-form-data 3.0.0-2 (source) into unstable (Xavier Guimard)
[2019-12-18] Accepted node-form-data 3.0.0-1 (source) into experimental (Xavier Guimard)
[2019-10-22] node-form-data 2.5.1-1 MIGRATED to testing (Debian testing watch)
[2019-10-20] Accepted node-form-data 2.5.1-1 (source) into unstable (Xavier Guimard)
[2019-08-09] node-form-data 2.3.2-4 MIGRATED to testing (Debian testing watch)
[2019-08-04] Accepted node-form-data 2.3.2-4 (source) into unstable (Xavier Guimard)
[2019-07-09] node-form-data 2.3.2-3 MIGRATED to testing (Debian testing watch)
[2019-03-10] Accepted node-form-data 2.3.2-3 (source) into unstable (Xavier Guimard)
[2018-10-09] Accepted node-form-data 2.3.2-2~bpo9+1 (source all) into stretch-backports, stretch-backports (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2018-09-22] node-form-data 2.3.2-2 MIGRATED to testing (Debian testing watch)
[2018-09-19] Accepted node-form-data 2.3.2-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2018-09-19] Accepted node-form-data 2.3.2-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)

1
2

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.0.5+~2.1.0-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing