Skip to content

Update dependency form-data to v4.0.6 [SECURITY]#9488

Merged
vinzscam merged 1 commit into
mainfrom
renovate/npm-form-data-vulnerability
Jun 30, 2026
Merged

Update dependency form-data to v4.0.6 [SECURITY]#9488
vinzscam merged 1 commit into
mainfrom
renovate/npm-form-data-vulnerability

Conversation

@backstage-goalie

@backstage-goalie backstage-goalie Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
form-data 4.0.54.0.6 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


form-data: CRLF injection in form-data via unescaped multipart field names and filenames

CVE-2026-12143 / GHSA-hmw2-7cc7-3qxx

More information

Details

Summary

form-data builds multipart/form-data request bodies. Through v4.0.5, the field name passed to FormData#append and the filename option are concatenated directly into the Content-Disposition header with no escaping of CR (\r), LF (\n), or ". An application that uses untrusted input as a field name or filename therefore lets an attacker terminate the header line and either inject additional headers or smuggle whole additional multipart parts into the request the application forwards to a backend.

This is CWE-93 (CRLF injection). It is a divergence from how browsers and the WHATWG HTML spec serialize form-data (they escape these characters), so the fix is to match that behavior. Severity is conditional: it depends on the consuming application passing attacker-controlled data as a field name or filename. Applications that only use fixed/trusted field names are not affected.

Details

In lib/form_data.js, _multiPartHeader builds the part header as:

'Content-Disposition': ['form-data', 'name="' + field + '"'].concat(contentDisposition || [])

and _getContentDisposition builds filename="' + filename + '"'. Neither escapes control characters, so a \r\n in field/filename ends the header line. The same applies to ", which can break out of the quoted parameter.

Proof of concept
const FormData = require('form-data');
const form = new FormData();
form.append('email"\r\nX-Injected: true\r\nfake="', 'user@example.com');
console.log(form.getBuffer().toString());

Before the fix this emits an injected X-Injected: true header line. A field name that also includes --<boundary> sequences can introduce additional parts (e.g. an extra name="is_admin" field), which a downstream parser accepts as legitimate.

Impact

For an application that uses untrusted field names/filenames:

  • Field injection / override (integrity). Inject or override fields the backend trusts (e.g. is_admin, role) — the primary demonstrated impact.
  • Header injection into the generated multipart part.

Claims of guaranteed privilege escalation, authentication bypass, high confidentiality impact, and availability impact are application-dependent downstream consequences, not properties of form-data itself, and are not demonstrated by the PoC.

Severity

The demonstrated, library-attributable impact is integrity (field/header injection); there is no demonstrated confidentiality disclosure or availability impact in form-data itself, and exploitation requires the consuming app to feed untrusted data into field names/filenames. A Moderate (≈5.3, I:L) rating is also defensible given that precondition.

Patch

Fixed in 4.0.6, 3.0.5, and 2.5.6. Users on older 0.x/1.x/2.x releases should upgrade to 2.5.6 or later.

The fix escapes \r, \n, and " as %0D, %0A, and %22 in field names and filenames, matching the WHATWG HTML multipart/form-data encoding algorithm that browsers implement. This neutralizes the injection while leaving ordinary field names (including name[0], dotted, and unicode names) unchanged.

Workaround

Until upgrading, validate or reject field names/filenames that contain control characters before calling append:

if (/[\r\n]/.test(field)) { throw new Error('invalid field name'); }
Credit

Reported by yueyueL.

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

form-data/form-data (form-data)

v4.0.6

Compare Source

Commits
  • [Fix] escape CR, LF, and " in field names and filenames 8dff42c
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape f31d21e
  • [Deps] update hasown, mime-types 92ae0eb
  • [Dev Deps] update js-randomness-predictor 67b0f65

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Copilot AI review requested due to automatic review settings June 15, 2026 21:10
@backstage-goalie backstage-goalie Bot added dependencies Pull requests that update a dependency file security labels Jun 15, 2026
@backstage-goalie backstage-goalie Bot requested a review from vinzscam June 15, 2026 21:10

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@backstage-goalie backstage-goalie Bot changed the title chore(deps): update dependency form-data to v4.0.6 [security] chore(deps): update dependency form-data to v4.0.6 [security] - autoclosed Jun 16, 2026
@backstage-goalie backstage-goalie Bot closed this Jun 16, 2026
@backstage-goalie backstage-goalie Bot deleted the renovate/npm-form-data-vulnerability branch June 16, 2026 09:54
@backstage-goalie backstage-goalie Bot changed the title chore(deps): update dependency form-data to v4.0.6 [security] - autoclosed chore(deps): update dependency form-data to v4.0.6 [security] Jun 16, 2026
@backstage-goalie backstage-goalie Bot reopened this Jun 16, 2026
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-form-data-vulnerability branch 2 times, most recently from 02b02ba to 2c105c5 Compare June 16, 2026 11:55
@backstage-goalie backstage-goalie Bot changed the title chore(deps): update dependency form-data to v4.0.6 [security] chore(deps): update dependency form-data to v4.0.6 [security] - autoclosed Jun 16, 2026
@backstage-goalie backstage-goalie Bot closed this Jun 16, 2026
@backstage-goalie backstage-goalie Bot changed the title chore(deps): update dependency form-data to v4.0.6 [security] - autoclosed chore(deps): update dependency form-data to v4.0.6 [security] Jun 16, 2026
@backstage-goalie backstage-goalie Bot reopened this Jun 16, 2026
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-form-data-vulnerability branch 2 times, most recently from 2c105c5 to d8eb3a9 Compare June 16, 2026 15:47
@backstage-goalie backstage-goalie Bot changed the title chore(deps): update dependency form-data to v4.0.6 [security] chore(deps): update dependency form-data to v4.0.6 [security] - autoclosed Jun 17, 2026
@backstage-goalie backstage-goalie Bot closed this Jun 17, 2026
@backstage-goalie backstage-goalie Bot changed the title chore(deps): update dependency form-data to v4.0.6 [security] - autoclosed chore(deps): update dependency form-data to v4.0.6 [security] Jun 17, 2026
@backstage-goalie backstage-goalie Bot reopened this Jun 17, 2026
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-form-data-vulnerability branch from d8eb3a9 to 2a59d79 Compare June 17, 2026 15:13
Copilot AI review requested due to automatic review settings June 19, 2026 23:30

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-form-data-vulnerability branch from ef75369 to 97f221a Compare June 20, 2026 07:26
Copilot AI review requested due to automatic review settings June 20, 2026 12:42
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-form-data-vulnerability branch from 97f221a to 7a148ba Compare June 20, 2026 12:42

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-form-data-vulnerability branch from 7a148ba to 84e9f16 Compare June 20, 2026 16:39
Copilot AI review requested due to automatic review settings June 22, 2026 15:01
@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-form-data-vulnerability branch from 84e9f16 to 5241f0d Compare June 22, 2026 15:01

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@backstage-goalie backstage-goalie Bot force-pushed the renovate/npm-form-data-vulnerability branch from 5241f0d to 650fb33 Compare June 22, 2026 20:12
@backstage-goalie backstage-goalie Bot changed the title chore(deps): update dependency form-data to v4.0.6 [security] Update dependency form-data to v4.0.6 [SECURITY] Jun 22, 2026
@backstage-service

Copy link
Copy Markdown
Collaborator

👋 Reminder: This Renovate patch/minor PR has been open for 7 days.

Please review and merge if the changes look good. If no action is taken, this PR will be labeled force-merge in 7 days.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Signed-off-by: Renovate Bot <bot@renovateapp.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants