node-multiparty - Debian Package Tracker

general

source: node-multiparty (main)
version: 4.3.0+~4.2.1-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Jérémy Lal [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 4.2.2-2
oldstable: 4.2.3-2
stable: 4.2.3-3
testing: 4.3.0+~4.2.1-1
unstable: 4.3.0+~4.2.1-1

versioned links

4.2.2-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.2.3-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.2.3-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.3.0+~4.2.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-multiparty

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in an unknown time
Last run: 2025-01-29T18:58:23.174Z
Previous status: unknown

Created: 2025-03-30 Last update: 2026-05-22 12:31

3 security issues in bullseye high

There are 3 open security issues in bullseye.

3 important issues:

CVE-2026-8159: multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to multiparty@4.3.0 or higher.
CVE-2026-8161: multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.
CVE-2026-8162: multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

Created: 2026-05-13 Last update: 2026-05-22 05:00

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2026-05-20 Last update: 2026-05-20 15:00

3 low-priority security issues in trixie low

There are 3 open security issues in trixie.

3 issues left for the package maintainer to handle:

CVE-2026-8159: (needs triaging) multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to multiparty@4.3.0 or higher.
CVE-2026-8161: (needs triaging) multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.
CVE-2026-8162: (needs triaging) multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-13 Last update: 2026-05-22 05:00

3 low-priority security issues in bookworm low

There are 3 open security issues in bookworm.

3 issues left for the package maintainer to handle:

CVE-2026-8159: (needs triaging) multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to multiparty@4.3.0 or higher.
CVE-2026-8161: (needs triaging) multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property such as __proto__, constructor, or toString, the parser invokes .push() on the inherited prototype value rather than an array, throwing a TypeError that propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.
CVE-2026-8162: (needs triaging) multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter contains a malformed percent-encoding, the parser invokes decodeURI on the value without try/catch. The resulting URIError propagates as an uncaught exception and crashes the process. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: none. Upgrade to multiparty@4.3.0 or higher.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-05-13 Last update: 2026-05-22 05:00

debian/patches: 1 patch to forward upstream low

Among the 3 debian patches available in version 4.3.0+~4.2.1-1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-05-17 08:30

news

[rss feed]

[2026-05-22] node-multiparty 4.3.0+~4.2.1-1 MIGRATED to testing (Debian testing watch)
[2026-05-16] Accepted node-multiparty 4.3.0-1 (source) into unstable (Xavier Guimard)
[2026-05-16] Accepted node-multiparty 4.3.0+~4.2.1-1 (source) into unstable (Xavier Guimard)
[2026-01-01] node-multiparty 4.2.3-5 MIGRATED to testing (Debian testing watch)
[2025-12-27] Accepted node-multiparty 4.2.3-5 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-12-27] node-multiparty 4.2.3-4 MIGRATED to testing (Debian testing watch)
[2025-12-22] Accepted node-multiparty 4.2.3-4 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-04-07] node-multiparty 4.2.3-3 MIGRATED to testing (Debian testing watch)
[2025-04-02] Accepted node-multiparty 4.2.3-3 (source) into unstable (Jérémy Lal)
[2024-07-09] node-multiparty REMOVED from testing (Debian testing watch)
[2022-07-23] node-multiparty 4.2.3-2 MIGRATED to testing (Debian testing watch)
[2022-07-18] Accepted node-multiparty 4.2.3-2 (source) into unstable (Jérémy Lal)
[2022-03-09] node-multiparty 4.2.3-1 MIGRATED to testing (Debian testing watch)
[2022-03-03] Accepted node-multiparty 4.2.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-11-23] node-multiparty 4.2.2-3 MIGRATED to testing (Debian testing watch)
[2021-11-17] Accepted node-multiparty 4.2.2-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2020-11-09] node-multiparty 4.2.2-2 MIGRATED to testing (Debian testing watch)
[2020-10-24] Accepted node-multiparty 4.2.2-2 (source) into unstable (Xavier Guimard)
[2020-10-23] Accepted node-multiparty 4.2.2-1 (source) into experimental (Xavier Guimard)
[2020-06-03] node-multiparty 4.2.1-3 MIGRATED to testing (Debian testing watch)
[2020-06-01] Accepted node-multiparty 4.2.1-3 (source) into unstable (Xavier Guimard)
[2020-01-29] node-multiparty 4.2.1-2 MIGRATED to testing (Debian testing watch)
[2020-01-27] Accepted node-multiparty 4.2.1-2 (source) into unstable (Xavier Guimard)
[2019-01-25] node-multiparty 4.2.1-1 MIGRATED to testing (Debian testing watch)
[2019-01-23] Accepted node-multiparty 4.2.1-1 (source) into unstable (Xavier Guimard)
[2018-08-12] node-multiparty REMOVED from testing (Debian testing watch)
[2017-11-12] node-multiparty 4.0.0-1 MIGRATED to testing (Debian testing watch)
[2017-11-11] node-multiparty REMOVED from testing (Debian testing watch)
[2014-10-31] node-multiparty 4.0.0-1 MIGRATED to testing (Britney)
[2014-10-21] Accepted node-multiparty 4.0.0-1 (source all) into unstable (Andrew Kelley) (signed by: Felipe Sateler)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 1)
buildd: logs
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.2.3-5