This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [form-data](https://redirect.github.com/form-data/form-data) | [`4.0.4` → `4.0.6`](https://renovatebot.com/diffs/npm/form-data/4.0.4/4.0.6) | ![age](https://developer.mend.io/api/mc/badges/age/npm/form-data/4.0.6?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/form-data/4.0.4/4.0.6?slim=true) | --- ### form-data: CRLF injection in form-data via unescaped multipart field names and filenames [CVE-2026-12143](https://nvd.nist.gov/vuln/detail/CVE-2026-12143) / [GHSA-hmw2-7cc7-3qxx](https://redirect.github.com/advisories/GHSA-hmw2-7cc7-3qxx) <details> <summary>More information</summary> #### Details ##### Summary `form-data` builds `multipart/form-data` request bodies. Through v4.0.5, the `field` name passed to `FormData#append` and the `filename` option are concatenated directly into the `Content-Disposition` header with no escaping of CR (`\r`), LF (`\n`), or `"`. An application that uses **untrusted input as a field name or filename** therefore lets an attacker terminate the header line and either inject additional headers or smuggle whole additional multipart parts into the request the application forwards to a backend. This is CWE-93 (CRLF injection). It is a divergence from how browsers and the WHATWG HTML spec serialize form-data (they escape these characters), so the fix is to match that behavior. Severity is **conditional**: it depends on the consuming application passing attacker-controlled data as a field name or filename. Applications that only use fixed/trusted field names are not affected. ##### Details In `lib/form_data.js`, `_multiPartHeader` builds the part header as: ```javascript 'Content-Disposition': ['form-data', 'name="' + field + '"'].concat(contentDisposition || []) ``` and `_getContentDisposition` builds `filename="' + filename + '"'`. Neither escapes control characters, so a `\r\n` in `field`/`filename` ends the header line. The same applies to `"`, which can break out of the quoted parameter. ##### Proof of concept ```javascript const FormData = require('form-data'); const form = new FormData(); form.append('email"\r\nX-Injected: true\r\nfake="', 'user@example.com'); console.log(form.getBuffer().toString()); ``` Before the fix this emits an injected `X-Injected: true` header line. A field name that also includes `--<boundary>` sequences can introduce additional parts (e.g. an extra `name="is_admin"` field), which a downstream parser accepts as legitimate. ##### Impact For an application that uses untrusted field names/filenames: - **Field injection / override (integrity).** Inject or override fields the backend trusts (e.g. `is_admin`, `role`) — the primary demonstrated impact. - **Header injection** into the generated multipart part. Claims of guaranteed privilege escalation, authentication bypass, high confidentiality impact, and availability impact are application-dependent downstream consequences, not properties of `form-data` itself, and are not demonstrated by the PoC. ##### Severity The demonstrated, library-attributable impact is integrity (field/header injection); there is no demonstrated confidentiality disclosure or availability impact in `form-data` itself, and exploitation requires the consuming app to feed untrusted data into field names/filenames. A Moderate (≈5.3, `I:L`) rating is also defensible given that precondition. ##### Patch Fixed in **4.0.6**, **3.0.5**, and **2.5.6**. Users on older 0.x/1.x/2.x releases should upgrade to 2.5.6 or later. The fix escapes `\r`, `\n`, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the WHATWG HTML `multipart/form-data` encoding algorithm that browsers implement. This neutralizes the injection while leaving ordinary field names (including `name[0]`, dotted, and unicode names) unchanged. ##### Workaround Until upgrading, validate or reject field names/filenames that contain control characters before calling `append`: ```javascript if (/[\r\n]/.test(field)) { throw new Error('invalid field name'); } ``` ##### Credit Reported by [yueyueL](https://redirect.github.com/yueyueL). #### Severity - CVSS Score: 8.7 / 10 (High) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx](https://redirect.github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx) - [https://nvd.nist.gov/vuln/detail/CVE-2026-12143](https://nvd.nist.gov/vuln/detail/CVE-2026-12143) - [https://github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435](https://redirect.github.com/form-data/form-data/commit/64190db548c0179e37206858e39f27cf513e9435) - [https://github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229](https://redirect.github.com/form-data/form-data/commit/be3f3cf553978bac15a5182f1f3c3d2d38ccf229) - [https://github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045](https://redirect.github.com/form-data/form-data/commit/c7133499c2ee1b80c678e411244f4442bf902045) - [https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data](https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#multipart-form-data) - [https://www.npmjs.com/package/form-data](https://www.npmjs.com/package/form-data) - [https://github.com/advisories/GHSA-hmw2-7cc7-3qxx](https://redirect.github.com/advisories/GHSA-hmw2-7cc7-3qxx) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-hmw2-7cc7-3qxx) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>form-data/form-data (form-data)</summary> ### [`v4.0.6`](https://redirect.github.com/form-data/form-data/compare/v4.0.5...64190db548c0179e37206858e39f27cf513e9435) [Compare Source](https://redirect.github.com/form-data/form-data/compare/v4.0.5...v4.0.6) ### [`v4.0.5`](https://redirect.github.com/form-data/form-data/blob/HEAD/CHANGELOG.md#v405---2025-11-17) [Compare Source](https://redirect.github.com/form-data/form-data/compare/v4.0.4...v4.0.5) ##### Commits - \[Tests] Switch to newer v8 prediction library; enable node 24 testing [`16e0076`](https://redirect.github.com/form-data/form-data/commit/16e00765342106876f98a1c9703314006c9e937a) - \[Dev Deps] update `@ljharb/eslint-config`, `eslint` [`5822467`](https://redirect.github.com/form-data/form-data/commit/5822467f0ec21f6ad613c1c90856375e498793c7) - \[Fix] set Symbol.toStringTag in the proper place [`76d0dee`](https://redirect.github.com/form-data/form-data/commit/76d0dee43933b5e167f7f09e5d9cbbd1cf911aa7) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/netlify/cli).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>