Multiparty Denial-of-Service Vulnerability via Regular Expression Backtracking in Filename Parsing

A denial-of-service vulnerability has been identified in the multiparty package, specifically in versions through 4.2.3. The issue arises from regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a long header value can cause the regex matching process to take several seconds, effectively blocking the event loop. This vulnerability affects any service that accepts multipart uploads via multiparty.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the event loop is blocked for an extended period, causing the application to become unresponsive.

Reproduction

To reproduce this vulnerability, upload a multipart file with a Content-Disposition header that includes a filename parameter. The header value should be crafted to include a repetition of a specific pattern that triggers the regular expression backtracking. This can be done by repeating '1' after '!filename=' to create a long header value, which will cause the regex parser to slow down significantly.

Remediation

Users are advised to upgrade to multiparty version 4.3.0 or higher.