Search

Find a vulnerability

Search criteria

    4 vulnerabilities by multer

    CVE-2026-5038 (GCVE-0-2026-5038)

    Vulnerability from nvd – Published: 2026-06-15 14:23 – Updated: 2026-06-15 16:07
    VLAI
    Title
    multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads
    Summary
    Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path. Workarounds: None.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    multer multer Affected: 2.0.0-alpha.1 , < 2.2.0 (semver)
    Unaffected: 2.2.0 (semver)
    Affected: 3.0.0-alpha.1 , < 3.0.0-alpha.2 (semver)
    Unaffected: 3.0.0-alpha.2 (semver)
    Create a notification for this product.
    Credits
    yuki-matsuhashi HamdaanAliQuatil fasrm UlisesGascon bjohansebas 0xStraw-Hat bhaswanthc ByamB4 sbouabid-sec DavidCarliez JebeenLee
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5038",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-15T16:07:25.876003Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-15T16:07:45.114Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/multer",
              "product": "multer",
              "vendor": "multer",
              "versions": [
                {
                  "lessThan": "2.2.0",
                  "status": "affected",
                  "version": "2.0.0-alpha.1",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.0.0-alpha.2",
                  "status": "affected",
                  "version": "3.0.0-alpha.1",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "3.0.0-alpha.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "yuki-matsuhashi"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "HamdaanAliQuatil"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "fasrm"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "UlisesGascon"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "bjohansebas"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "0xStraw-Hat"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "bhaswanthc"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "ByamB4"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "sbouabid-sec"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "DavidCarliez"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "JebeenLee"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to \nthe underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.\n\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.\n\nWorkarounds: None."
                }
              ],
              "value": "Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to \nthe underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.\n\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.\n\nWorkarounds: None."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-459",
                  "description": "CWE-459: Incomplete Cleanup",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-15T14:23:24.230Z",
            "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
            "shortName": "openjs"
          },
          "references": [
            {
              "url": "https://github.com/expressjs/multer/security/advisories/GHSA-3p4h-7m6x-2hcm"
            },
            {
              "url": "https://cna.openjsf.org/security-advisories.html"
            }
          ],
          "title": "multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads",
          "x_generator": {
            "engine": "cve-kit 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "assignerShortName": "openjs",
        "cveId": "CVE-2026-5038",
        "datePublished": "2026-06-15T14:23:24.230Z",
        "dateReserved": "2026-03-27T16:26:09.638Z",
        "dateUpdated": "2026-06-15T16:07:45.114Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5079 (GCVE-0-2026-5079)

    Vulnerability from nvd – Published: 2026-06-15 13:56 – Updated: 2026-06-15 16:00
    VLAI
    Title
    multer vulnerable to Denial of Service via deeply nested field names
    Summary
    Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires. Workarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    multer multer Affected: 1.0.0 , < 2.2.0 (semver)
    Unaffected: 2.2.0 (semver)
    Affected: 3.0.0-alpha.1 , < 3.0.0-alpha.2 (semver)
    Unaffected: 3.0.0-alpha.2 (semver)
    Create a notification for this product.
    Credits
    tndud042713 UlisesGascon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5079",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-15T16:00:29.855724Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-15T16:00:43.955Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/multer",
              "product": "multer",
              "vendor": "multer",
              "versions": [
                {
                  "lessThan": "2.2.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.0.0-alpha.2",
                  "status": "affected",
                  "version": "3.0.0-alpha.1",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "3.0.0-alpha.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "tndud042713"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "UlisesGascon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.\n\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires.\n\nWorkarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact."
                }
              ],
              "value": "Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.\n\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires.\n\nWorkarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-15T13:56:45.520Z",
            "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
            "shortName": "openjs"
          },
          "references": [
            {
              "url": "https://github.com/expressjs/multer/security/advisories/GHSA-72gw-mp4g-v24j"
            },
            {
              "url": "https://cna.openjsf.org/security-advisories.html"
            }
          ],
          "title": "multer vulnerable to Denial of Service via deeply nested field names",
          "x_generator": {
            "engine": "cve-kit 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "assignerShortName": "openjs",
        "cveId": "CVE-2026-5079",
        "datePublished": "2026-06-15T13:56:45.520Z",
        "dateReserved": "2026-03-28T19:04:56.443Z",
        "dateUpdated": "2026-06-15T16:00:43.955Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5038 (GCVE-0-2026-5038)

    Vulnerability from cvelistv5 – Published: 2026-06-15 14:23 – Updated: 2026-06-15 16:07
    VLAI
    Title
    multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads
    Summary
    Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path. Workarounds: None.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    multer multer Affected: 2.0.0-alpha.1 , < 2.2.0 (semver)
    Unaffected: 2.2.0 (semver)
    Affected: 3.0.0-alpha.1 , < 3.0.0-alpha.2 (semver)
    Unaffected: 3.0.0-alpha.2 (semver)
    Create a notification for this product.
    Credits
    yuki-matsuhashi HamdaanAliQuatil fasrm UlisesGascon bjohansebas 0xStraw-Hat bhaswanthc ByamB4 sbouabid-sec DavidCarliez JebeenLee
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5038",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-15T16:07:25.876003Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-15T16:07:45.114Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/multer",
              "product": "multer",
              "vendor": "multer",
              "versions": [
                {
                  "lessThan": "2.2.0",
                  "status": "affected",
                  "version": "2.0.0-alpha.1",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.0.0-alpha.2",
                  "status": "affected",
                  "version": "3.0.0-alpha.1",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "3.0.0-alpha.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "yuki-matsuhashi"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "HamdaanAliQuatil"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "fasrm"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "UlisesGascon"
            },
            {
              "lang": "en",
              "type": "remediation reviewer",
              "value": "bjohansebas"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "0xStraw-Hat"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "bhaswanthc"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "ByamB4"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "sbouabid-sec"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "DavidCarliez"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "JebeenLee"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to \nthe underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.\n\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.\n\nWorkarounds: None."
                }
              ],
              "value": "Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to \nthe underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.\n\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.\n\nWorkarounds: None."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-459",
                  "description": "CWE-459: Incomplete Cleanup",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-15T14:23:24.230Z",
            "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
            "shortName": "openjs"
          },
          "references": [
            {
              "url": "https://github.com/expressjs/multer/security/advisories/GHSA-3p4h-7m6x-2hcm"
            },
            {
              "url": "https://cna.openjsf.org/security-advisories.html"
            }
          ],
          "title": "multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads",
          "x_generator": {
            "engine": "cve-kit 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "assignerShortName": "openjs",
        "cveId": "CVE-2026-5038",
        "datePublished": "2026-06-15T14:23:24.230Z",
        "dateReserved": "2026-03-27T16:26:09.638Z",
        "dateUpdated": "2026-06-15T16:07:45.114Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5079 (GCVE-0-2026-5079)

    Vulnerability from cvelistv5 – Published: 2026-06-15 13:56 – Updated: 2026-06-15 16:00
    VLAI
    Title
    multer vulnerable to Denial of Service via deeply nested field names
    Summary
    Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires. Workarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    Impacted products
    Vendor Product Version
    multer multer Affected: 1.0.0 , < 2.2.0 (semver)
    Unaffected: 2.2.0 (semver)
    Affected: 3.0.0-alpha.1 , < 3.0.0-alpha.2 (semver)
    Unaffected: 3.0.0-alpha.2 (semver)
    Create a notification for this product.
    Credits
    tndud042713 UlisesGascon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5079",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-15T16:00:29.855724Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-15T16:00:43.955Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/multer",
              "product": "multer",
              "vendor": "multer",
              "versions": [
                {
                  "lessThan": "2.2.0",
                  "status": "affected",
                  "version": "1.0.0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "2.2.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "3.0.0-alpha.2",
                  "status": "affected",
                  "version": "3.0.0-alpha.1",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "3.0.0-alpha.2",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "tndud042713"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "UlisesGascon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.\n\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires.\n\nWorkarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact."
                }
              ],
              "value": "Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.\n\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires.\n\nWorkarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-400",
                  "description": "CWE-400: Uncontrolled Resource Consumption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-15T13:56:45.520Z",
            "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
            "shortName": "openjs"
          },
          "references": [
            {
              "url": "https://github.com/expressjs/multer/security/advisories/GHSA-72gw-mp4g-v24j"
            },
            {
              "url": "https://cna.openjsf.org/security-advisories.html"
            }
          ],
          "title": "multer vulnerable to Denial of Service via deeply nested field names",
          "x_generator": {
            "engine": "cve-kit 1.0.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "assignerShortName": "openjs",
        "cveId": "CVE-2026-5079",
        "datePublished": "2026-06-15T13:56:45.520Z",
        "dateReserved": "2026-03-28T19:04:56.443Z",
        "dateUpdated": "2026-06-15T16:00:43.955Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }