Skip to main content

multer CVE-2026-5079

| EUVDEUVD-2026-36726 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-15 openjs GHSA-72gw-mp4g-v24j
7.5
CVSS 3.1 · Vendor: openjs
Share

Severity by source

Vendor (openjs) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Single unauthenticated network request against default multer config (AV:N/AC:L/PR:N/UI:N) yields availability-only impact via resource exhaustion; no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (openjs).

CVSS VectorVendor: openjs

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 15, 2026 - 16:01 EUVD
Analysis Generated
Jun 15, 2026 - 14:33 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 114 npm packages depend on multer (61 direct, 53 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionCVE.org

Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.

Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires.

Workarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.

AnalysisAI

Denial of service in the Express.js multer middleware (versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1) allows unauthenticated remote attackers to exhaust CPU and memory by sending a single multipart form request with deeply nested bracket-notation field names. The flaw lives in the append-field dependency, which parses nesting depth without any cap, so one crafted POST can degrade or crash Node.js services. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify multipart endpoint on Node.js service
Delivery
Craft multipart body with deeply nested bracket field name
Exploit
Send single HTTP POST request
Execution
append-field recursively allocates nested object tree
Persist
CPU and memory exhaustion in Node worker
Impact
Service becomes unresponsive or OOM-killed

Vulnerability AssessmentAI

Exploitation The target application must use multer 1.0.0-2.1.1 or 3.0.0-alpha.1 as multipart middleware on a network-reachable HTTP endpoint that accepts multipart/form-data; no authentication, user interaction, or special configuration is required because nested bracket parsing in append-field is enabled by default. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H aligns with the description: a single network request with no authentication, no user interaction, and low complexity yields a high availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies an internet-facing endpoint (login, contact form, file upload, profile edit) that accepts multipart/form-data and is handled by multer. They send a single HTTP POST whose multipart body contains a field name like a[a][a]...[a] repeated thousands of times; multer hands this to append-field, which allocates a correspondingly deep object tree, spiking CPU and RSS until the Node.js worker becomes unresponsive or the process is OOM-killed, taking the service offline.
Remediation Vendor-released patch: multer 2.2.0 on the 2.x line and 3.0.0-alpha.2 on the 3.x prerelease line; upgrade and then explicitly configure the new limits.fieldNestingDepth option to the minimum depth your application actually needs (most apps need 1-2). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Deploy WAF or reverse-proxy rules to block multipart requests with excessive field nesting; implement resource quotas and CPU/memory limits on Node.js processes. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-5079 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy