UBUNTU-CVE-2026-12143

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-12143

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12143.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-12143

Upstream

CVE-2026-12143

Published

2026-06-12T19:16:00Z

Modified

2026-06-17T04:27:00Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the field argument to FormData#append and the filename option are concatenated verbatim into the Content-Disposition header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set is_admin=true) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and " as %0D, %0A, and %22 in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

References

Affected packages

Ubuntu:24.04:LTS

node-form-data

Package

Name: node-form-data
Purl: pkg:deb/ubuntu/node-form-data?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.0.0-1

4.0.0-1ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "4.0.0-1ubuntu0.1",
            "binary_name": "node-form-data"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12143.json"

Ubuntu:25.10

node-form-data

Package

Name: node-form-data
Purl: pkg:deb/ubuntu/node-form-data?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.0.1-1

4.0.1-2

4.0.1-2ubuntu1

4.0.4+~2.1.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "4.0.4+~2.1.0-1",
            "binary_name": "node-form-data"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12143.json"

Ubuntu:26.04:LTS

node-form-data

Package

Name: node-form-data
Purl: pkg:deb/ubuntu/node-form-data?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.0.4+~2.1.0-1

4.0.5+~2.1.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "4.0.5+~2.1.0-1",
            "binary_name": "node-form-data"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12143.json"

Ubuntu:Pro:14.04:LTS

node-form-data

Package

Name: node-form-data
Purl: pkg:deb/ubuntu/node-form-data?arch=source&distro=esm-infra-legacy%2Ftrusty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.1.0-1

0.1.0-1ubuntu0.14.04.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.1.0-1ubuntu0.14.04.1~esm1",
            "binary_name": "node-form-data"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12143.json"

Ubuntu:Pro:16.04:LTS

node-form-data

Package

Name: node-form-data
Purl: pkg:deb/ubuntu/node-form-data?arch=source&distro=esm-apps%2Fxenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.1.0-1

0.1.0-1ubuntu0.16.04.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.1.0-1ubuntu0.16.04.1~esm1",
            "binary_name": "node-form-data"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12143.json"

Ubuntu:Pro:18.04:LTS

node-form-data

Package

Name: node-form-data
Purl: pkg:deb/ubuntu/node-form-data?arch=source&distro=esm-apps%2Fbionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.1.0-1

0.1.0-1ubuntu0.18.04.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "0.1.0-1ubuntu0.18.04.1~esm1",
            "binary_name": "node-form-data"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12143.json"

Ubuntu:Pro:20.04:LTS

node-form-data

Package

Name: node-form-data
Purl: pkg:deb/ubuntu/node-form-data?arch=source&distro=esm-apps%2Ffocal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.3.2-4

2.5.1-1

3.*

3.0.0-2

3.0.0-2ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.0.0-2ubuntu0.1~esm1",
            "binary_name": "node-form-data"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12143.json"

Ubuntu:Pro:22.04:LTS

node-form-data

Package

Name: node-form-data
Purl: pkg:deb/ubuntu/node-form-data?arch=source&distro=esm-apps%2Fjammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.0-2

3.0.0-4

3.0.1-1

3.0.1-1ubuntu0.1~esm1

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "3.0.1-1ubuntu0.1~esm1",
            "binary_name": "node-form-data"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-12143.json"