Your message dated Wed, 24 Jun 2026 08:49:23 +0000
with message-id <[email protected]>
and subject line Bug#1139959: fixed in node-form-data 4.0.6+~2.1.0-1
has caused the Debian Bug report #1139959,
regarding node-form-data: CVE-2026-12143
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1139959: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139959
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-form-data
Version: 4.0.5+~2.1.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-form-data.
CVE-2026-12143[0]:
| form-data is a library for creating readable multipart/form-data
| streams. In versions through 4.0.5, the `field` argument to
| `FormData#append` and the `filename` option are concatenated
| verbatim into the `Content-Disposition` header without escaping
| carriage return (CR), line feed (LF), or double-quote (")
| characters. An application that passes attacker-controlled data as a
| field name or filename (for example, an API gateway that turns JSON
| object keys into multipart field names) allows the attacker to
| terminate the header line and inject additional headers, or to
| smuggle entire additional multipart parts, into the request the
| application forwards to a backend. This can let the attacker add or
| override form fields (e.g. set `is_admin=true`) seen by the
| downstream parser. This is an instance of CWE-93 (CRLF injection).
| The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field
| names and filenames, matching the serialization browsers use per the
| WHATWG HTML multipart/form-data encoding algorithm. Exploitation
| requires the consuming application to use untrusted input as a field
| name or filename; applications that use only fixed/trusted field
| names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-12143
https://www.cve.org/CVERecord?id=CVE-2026-12143
[1]
https://github.com/form-data/form-data/security/advisories/GHSA-hmw2-7cc7-3qxx
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-form-data
Source-Version: 4.0.6+~2.1.0-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-form-data, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-form-data package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 24 Jun 2026 10:27:15 +0200
Source: node-form-data
Architecture: source
Version: 4.0.6+~2.1.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1139959
Changes:
node-form-data (4.0.6+~2.1.0-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.4
* New upstream version (Closes: #1139959, CVE-2026-12143)
Checksums-Sha1:
b6c067896ed7d04a2c39a738efd17e80444a50c3 2589 node-form-data_4.0.6+~2.1.0-1.dsc
7fa1bd307044f7d678f0de318f06df2a756e9a94 7160
node-form-data_4.0.6+~2.1.0.orig-es-set-tostringtag.tar.gz
20a260551314be1d09125751ab342ce0f631133b 62154
node-form-data_4.0.6+~2.1.0.orig.tar.gz
f0c597471b51e024fdbf496eb285b903037ad05a 9924
node-form-data_4.0.6+~2.1.0-1.debian.tar.xz
Checksums-Sha256:
94bdded78fc4c13fc0394ad829752659da50c47fb01dfcdc9c0c211f1c61cf00 2589
node-form-data_4.0.6+~2.1.0-1.dsc
76e10cc4411e9ebcab6c3e31a88d13ce67247a325df83780ee74e208acd5ae39 7160
node-form-data_4.0.6+~2.1.0.orig-es-set-tostringtag.tar.gz
d2dd6e12b2cdcdf1f4e0c47dd2da5882af6197c97467f7b34be8f2deeede53c5 62154
node-form-data_4.0.6+~2.1.0.orig.tar.gz
38f0495a21551a686b0b0d8d0375da31ecb4eef74cd579225cc8d56860e17732 9924
node-form-data_4.0.6+~2.1.0-1.debian.tar.xz
Files:
d98376736fc424ff6edc6169e3264e12 2589 javascript optional
node-form-data_4.0.6+~2.1.0-1.dsc
7f9fa9e1fec55df4c05c87c7168921fe 7160 javascript optional
node-form-data_4.0.6+~2.1.0.orig-es-set-tostringtag.tar.gz
deb3266520e13239350c247454ced1ec 62154 javascript optional
node-form-data_4.0.6+~2.1.0.orig.tar.gz
4e7aa9809603d2efbd77151080933cf0 9924 javascript optional
node-form-data_4.0.6+~2.1.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmo7lR8ACgkQ9tdMp8mZ
7ulQIQ/9Fo84tP997pdb2mBnXrEKKkksMnFkh8SrizdAYUH4LKbvpSDR/CAlpQMs
WJV8PIeoQ/6kYmFxHYrlJfNZD4/PYdfZUYYy8/gMfUvMuu2a6Nwx3S2njB/bfg1x
PdGTk98PoQSY2I3I4DEnXA+ovEWopV6cHdaKr8t1SisuM9ZEYzYXKLepljMEV8K+
uIeGJUVjzhJ8+PDbjV+KB0tCYeWWYVSrFs+XMjIvQXEOXbqj0L/nrPYvLXz26D9a
SB68icX0A+CEQ5rQ1gTnJVpcdqmr04njXLBvsF2FBPtWefXNOYyjalhWPiw6nfxg
MA1CNgIuWeJB8pXqTSKIVS2nZhWFeZbcskrtKondGn9qbGg5IXAhyGlnxupfNVXV
PHGuz/03ivNqg6frMup4htYkPCU/yUqQ7P/vjYtv2g9H0xWpSFHGEPj9d2yYmAP8
exZRfWK1ULNkSVrqXh8xxYYI+hUtHGKW75wn4qGWUtiGt4ZvPlDeEq0jstcyct9B
OZD2j3sdmroUZbptfhv3whn4C2jthMJQmqeBbb/IDOJYw1oA9Najxr5xvmYSBaUe
JdXUFGLv1j63XsEvoqVzIA+PWFqYut4h1bt/KyF3vVYr/yBAu5p+dIQ/Srr0CzUN
ozQrVv4WCTpuXAmNB4mL+BNQDBSDnMAdYIzeZRdWCnx6pfi/csk=
=tyTf
-----END PGP SIGNATURE-----
pgp6cA5EG0_Mu.pgp
Description: PGP signature
--- End Message ---
