Skip to main content

Multer CVE-2026-5038

| EUVDEUVD-2026-36728 HIGH
Incomplete Cleanup (CWE-459)
2026-06-15 openjs GHSA-3p4h-7m6x-2hcm
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (openjs) PRIMARY
MEDIUM
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Unauthenticated remote abort-flood against a reachable diskStorage upload endpoint, no user interaction, availability-only impact through disk exhaustion; no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (openjs).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 16, 2026 - 17:12 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 16, 2026 - 17:12 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 16, 2026 - 17:07 vuln.today
cvss_changed
Severity Changed
Jun 16, 2026 - 17:07 NVD
MEDIUM HIGH
CVSS changed
Jun 16, 2026 - 17:07 NVD
5.3 (MEDIUM) 7.5 (HIGH)
Patch available
Jun 15, 2026 - 17:01 EUVD
Analysis Generated
Jun 15, 2026 - 16:33 vuln.today

DescriptionNVD

Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.

Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.

Workarounds: None.

AnalysisAI

Denial of service in Multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 allows remote unauthenticated attackers to exhaust server disk space when the library is configured with diskStorage. Aborted or malformed multipart uploads leave orphaned partial files because stream destruction is not propagated to the underlying fs.WriteStream, enabling resource exhaustion at scale with no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Multer upload endpoint
Delivery
Open multipart POST connections
Exploit
Abort streams mid-upload
Execution
Orphan partial files accumulate
Persist
Disk partition exhausted
Impact
Upload and write operations fail service-wide

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses Multer's diskStorage engine (the default DiskStorage configuration, including the no-arg multer() call which writes to os.tmpdir()) on an affected version 2.0.0-alpha.1 through 2.1.1 or 3.0.0-alpha.1, and that an upload route is reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals point to a credible but bounded availability risk rather than a critical compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker repeatedly opens multipart/form-data POST requests to a Multer diskStorage-backed upload endpoint and aborts each TCP connection mid-transfer after sending some payload bytes. Each aborted request leaves an orphan partial file on disk, and a parallelized loop quickly consumes the upload partition, causing write failures across the application until an operator manually clears the temp directory. …
Remediation Vendor-released patch: upgrade to multer 2.2.0 on the 2.x line or 3.0.0-alpha.2 on the 3.x prerelease, both of which track in-flight write streams and clean them up on the abort path, per the GHSA-3p4h-7m6x-2hcm advisory (https://github.com/expressjs/multer/security/advisories/GHSA-3p4h-7m6x-2hcm) and OpenJS CNA notes (https://cna.openjsf.org/security-advisories.html). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all applications using affected Multer versions (2.0.0-alpha.1-2.1.1, 3.0.0-alpha.1) with diskStorage enabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-5038 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy