Listen to this Post
Intro – How CVE-2022-24999 works
The `form-data` npm library builds `multipart/form-data` request bodies. Before version 4.0.6, the `field` name passed to `FormDataappend()` and the `filename` option were directly concatenated into the `Content-Disposition` header without escaping CR (\r), LF (\n), or double quotes ("). When an attacker controls the field name or filename, they can inject a carriage return and line feed to terminate the header line early. For example, a field name like `”email\r\nX-Injected: true\r\nfake=”` causes the generated part header to split, adding an arbitrary `X-Injected: true` header. Additionally, using `–lib/form_data.js: `_multiPartHeader` builds `’Content-Disposition’: [‘form-data’, ‘name=”‘ + field + ‘”‘]` and `_getContentDisposition` builds `filename=”‘ + filename + ‘”‘` – neither function escapes control characters. This matches CWE-93 (CRLF injection). Browsers and the WHATWG HTML spec escape these characters, so the fix aligns with that standard. Applications that only use fixed, trusted field names are not affected, but any app that passes untrusted input as a field name or filename becomes vulnerable. The primary library‑attributable impact is integrity (field/header injection). Privilege escalation, authentication bypass, or confidentiality/availability impacts are downstream consequences, not intrinsic to the library. The patch escapes \r, \n, and `”` as %0D, %0A, and `%22` in field names and filenames, neutralizing the injection while preserving normal names (including name
</code>, dotted, and Unicode). Affected versions: ≤4.0.5, ≤3.0.4, ≤2.5.5; fixed in 4.0.6, 3.0.5, 2.5.6.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: `npm / Node.js`
Version: `≤4.0.5, ≤3.0.4`
Vulnerability: `CRLF injection (CWE‑93)`
Severity: `Moderate (5.3)`
date: `2022‑03‑08`
<h2 style="color: blue;">Prediction: `2022‑03‑14 (fixed)`</h2>
<h2 style="color: blue;">Analytics – What Undercode Say:</h2>
[bash]
Check vulnerable version
npm list form-data | grep -E "form-data@[0-3].|4.0.[0-5]"
Simulate injection (before patch)
node -e "
const FormData = require('form-data');
const form = new FormData();
form.append('email\"\r\nX-Injected: true\r\nfake=\"', '[email protected]');
console.log(form.getBuffer().toString());
"
Verify patch (v4.0.6+)
node -e "
const FormData = require('form-data');
const form = new FormData();
form.append('email\"\r\nX-Injected: true\r\nfake=\"', '[email protected]');
console.log(form.getBuffer().toString()); Shows escaped %0D etc.
"
Exploit:
Attacker provides a field name like `"admin\r\nContent-Disposition: form-data; name=\"is_admin\"\r\n\r\ntrue\r\n--form-data.append().
Protection:
- Upgrade to
[email protected],3.0.5, or `2.5.6` or later. - If upgrade impossible, validate field names/filenames with:
if (/[\r\n"]/.test(field)) throw new Error('Invalid field name'); - Avoid using untrusted user input directly as field names or filenames.
Impact:
- Integrity – inject/override backend‑trusted fields (e.g.,
role=admin). - Header injection – add arbitrary headers into multipart part.
- No direct confidentiality loss or DoS in library itself. Downstream apps may suffer privilege escalation or auth bypass depending on how they parse the forged multipart data.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
