js · form-dataCritical
form-data: CRLF injection in Content-Disposition headers
CRLF injection vulnerability in form-data library: field names and filenames are not escaped when building Content-Disposition headers, allowing header injectio
What changed
CRLF injection vulnerability in form-data library: field names and filenames are not escaped when building Content-Disposition headers, allowing header injection and multipart part smuggling.
Who it affects
Applications that pass untrusted input as field names or filenames to FormData#append.
What to do today
Upgrade to version 4.0.6, 3.0.5, or 2.5.6, or validate/reject field names and filenames containing control characters.
The trail
Collected→
Audited→
Written→
Published