CRLF Injection in form-data <=4.0.5 via unsanitized field names and filenames
CVE-2026-12143 Published on June 12, 2026

form-data does not escape CR/LF/quote in multipart field names and filenames (CRLF injection)
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set `is_admin=true`) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and `"` as `%0D`, `%0A`, and `%22` in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-12143 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

What is a CRLF Injection Vulnerability?

The software uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

CVE-2026-12143 has been classified to as a CRLF Injection vulnerability or weakness.


Products Associated with CVE-2026-12143

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Service Mesh
 
Red Hat Cryostat
 
Red Hat Migration Toolkit Applications
 
Red Hat Rhmt
 
Red Hat Network Observ Optr
 
Red Hat Workload Availability Nhc
 
Red Hat Openshift Pipelines
 
Red Hat 3scale Amp
 
Red Hat Advanced Cluster Security
 
Red Hat Amq Broker
 
Red Hat Apache Camel Hawtio
 
Red Hat Apicurio Registry
 
Red Hat Jboss Data Grid
 
Red Hat Rhdh
 
Red Hat Enterprise Linux Ai
 
Red Hat Jboss Fuse
 
Red Hat Hummingbird
 
Red Hat Jboss Enterprise Application Platform
 
Red Hat Jbosseapxp
 
Red Hat Openshift Ai
 
Red Hat Openshift
 
Red Hat Openshift Data Foundation
 
Red Hat Openshift Devspaces
 
Red Hat Openshift Gitops
 
Red Hat Container Native Virtualization
 
Red Hat Quay
 
Red Hat Trusted Artifact Signer
 
Red Hat Trusted Profile Analyzer
 
Red Hat Camel Spring Boot
 
Red Hat Multicluster Engine
 
Red Hat Acm
 
Red Hat Ansible Automation Platform
 
Red Hat Podman Desktop
 
Red Hat Discovery
 
Red Hat Enterprise Linux (RHEL)
 
Red Hat Satellite
 
Red Hat Ansible Portal
 

Affected Versions

form-data: Red Hat OpenShift Service Mesh 2.6: Red Hat OpenShift Service Mesh 3.0: Red Hat OpenShift Service Mesh 3.1: Red Hat OpenShift Service Mesh 3.2: Red Hat OpenShift Service Mesh 3.3: Red Hat Cryostat 4: Red Hat Migration Toolkit for Applications 8: Red Hat Migration Toolkit for Containers: Red Hat Network Observability Operator: Red Hat Node HealthCheck Operator: Red Hat OpenShift Pipelines: Red Hat 3scale API Management Platform 2: Red Hat Advanced Cluster Security 4: Red Hat AMQ Broker 7: Red Hat build of Apache Camel - HawtIO 4: Red Hat build of Apicurio Registry 3: Red Hat Data Grid 8: Red Hat Developer Hub: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat Fuse 7: Red Hat Hardened Images: Red Hat JBoss Enterprise Application Platform 7: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform Expansion Pack: Red Hat OpenShift AI (RHOAI): Red Hat OpenShift Container Platform 4: Red Hat Openshift Data Foundation 4: Red Hat OpenShift Dev Spaces: Red Hat OpenShift GitOps: Red Hat OpenShift Virtualization 4: Red Hat Quay 3: Red Hat Trusted Artifact Signer: Red Hat Trusted Profile Analyzer: Red Hat OpenShift Service Mesh 3: Red Hat build of Apache Camel for Spring Boot 4: Red Hat Multicluster Engine for Kubernetes: Red Hat Advanced Cluster Management for Kubernetes 2: Red Hat Ansible Automation Platform 2: Red Hat Build of Podman Desktop: Red Hat Build of Podman Desktop - Tech Preview: Red Hat Discovery 2: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Satellite 6: Red Hat Self-service automation portal 2:

Exploit Probability

EPSS
0.32%
Percentile
24.03%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.