Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Single unauthenticated network request against default multer config (AV:N/AC:L/PR:N/UI:N) yields availability-only impact via resource exhaustion; no confidentiality or integrity effect.
Primary rating from Vendor (openjs).
CVSS VectorVendor: openjs
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 114 npm packages depend on multer (61 direct, 53 indirect)
Ecosystem-wide dependent count for version 1.0.0.
DescriptionCVE.org
Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.
Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires.
Workarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.
AnalysisAI
Denial of service in the Express.js multer middleware (versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1) allows unauthenticated remote attackers to exhaust CPU and memory by sending a single multipart form request with deeply nested bracket-notation field names. The flaw lives in the append-field dependency, which parses nesting depth without any cap, so one crafted POST can degrade or crash Node.js services. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target application must use multer 1.0.0-2.1.1 or 3.0.0-alpha.1 as multipart middleware on a network-reachable HTTP endpoint that accepts multipart/form-data; no authentication, user interaction, or special configuration is required because nested bracket parsing in append-field is enabled by default. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H aligns with the description: a single network request with no authentication, no user interaction, and low complexity yields a high availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies an internet-facing endpoint (login, contact form, file upload, profile edit) that accepts multipart/form-data and is handled by multer. They send a single HTTP POST whose multipart body contains a field name like a[a][a]...[a] repeated thousands of times; multer hands this to append-field, which allocates a correspondingly deep object tree, spiking CPU and RSS until the Node.js worker becomes unresponsive or the process is OOM-killed, taking the service offline. |
| Remediation | Vendor-released patch: multer 2.2.0 on the 2.x line and 3.0.0-alpha.2 on the 3.x prerelease line; upgrade and then explicitly configure the new limits.fieldNestingDepth option to the minimum depth your application actually needs (most apps need 1-2). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Deploy WAF or reverse-proxy rules to block multipart requests with excessive field nesting; implement resource quotas and CPU/memory limits on Node.js processes. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Denial of service in Multer (Express.js multipart/form-data middleware) before version 2.1.1 allows remote unauthenticat
Denial of service in Multer (the Express/Node.js multipart/form-data middleware) before version 2.1.0 lets remote attack
Denial of service in Multer (Express.js multipart/form-data middleware) before version 2.1.0 lets remote unauthenticated
Denial of service in Multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 allows remote unauthenticated attacke
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36726
GHSA-72gw-mp4g-v24j