Inefficient Regular Expression Complexity

Summary

multiparty versions through 4.2.3 are vulnerable to Denial-of-Service (DoS) via regular expression backtracking in the 'Content-Disposition' filename parameter parser. A crafted multipart upload with a long header value can cause regex matching to take seconds, blocking the event loop. Impact: any service accepting multipart uploads via multiparty is affected. Workarounds: limiting upload sizes at the proxy or gateway layer reduces but does not eliminate the attack surface, since a small header of around 8 KB is sufficient to trigger the vulnerable backtracking.