Skip to content

CVE-2026-12143 (HIGH): detected in Lambda Docker Images. #558

Description

@the-lambda-watchdog

CVE Details

CVE ID Severity Affected Package Installed Version Fixed Version Date Published Date of Scan
CVE-2026-12143 HIGH form-data 4.0.5 2.5.6, 3.0.5, 4.0.6 2026-06-12T19:16:26.56Z 2026-06-16T10:19:08.088601836Z

Affected Docker Images

Image Name SHA
public.ecr.aws/lambda/nodejs:latest public.ecr.aws/lambda/nodejs@sha256:d01267c60e0434e803c8f0b2262f77dcfb612bbe32f7dd68ab9ac938504819b0
public.ecr.aws/lambda/nodejs:24 public.ecr.aws/lambda/nodejs@sha256:76dd5356e7fb20ca4c57b5ae30d5e80192e6822929b3c467d0614172bce3c960
public.ecr.aws/lambda/nodejs:22 public.ecr.aws/lambda/nodejs@sha256:d01267c60e0434e803c8f0b2262f77dcfb612bbe32f7dd68ab9ac938504819b0

Description

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the field argument to FormData#append and the filename option are concatenated verbatim into the Content-Disposition header without escaping carriage return (CR), line feed (LF), or double-quote (") characters. An application that passes attacker-controlled data as a field name or filename (for example, an API gateway that turns JSON object keys into multipart field names) allows the attacker to terminate the header line and inject additional headers, or to smuggle entire additional multipart parts, into the request the application forwards to a backend. This can let the attacker add or override form fields (e.g. set is_admin=true) seen by the downstream parser. This is an instance of CWE-93 (CRLF injection). The fix escapes CR, LF, and " as %0D, %0A, and %22 in field names and filenames, matching the serialization browsers use per the WHATWG HTML multipart/form-data encoding algorithm. Exploitation requires the consuming application to use untrusted input as a field name or filename; applications that use only fixed/trusted field names are not affected. Fixed in 2.5.6, 3.0.5, and 4.0.6.


Remediation Steps

  • Update the affected package form-data from version 4.0.5 to 2.5.6, 3.0.5, 4.0.6.

About this issue

  • This issue may not contain all the information about the CVE nor the images it affects.
  • This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
  • For more, visit Lambda Watchdog.
  • This issue was created automatically by Lambda Watchdog.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions