Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated remote abort-flood against a reachable diskStorage upload endpoint, no user interaction, availability-only impact through disk exhaustion; no confidentiality or integrity effect.
Primary rating from Vendor (openjs).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
7DescriptionNVD
Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.
Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.
Workarounds: None.
AnalysisAI
Denial of service in Multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 allows remote unauthenticated attackers to exhaust server disk space when the library is configured with diskStorage. Aborted or malformed multipart uploads leave orphaned partial files because stream destruction is not propagated to the underlying fs.WriteStream, enabling resource exhaustion at scale with no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses Multer's diskStorage engine (the default DiskStorage configuration, including the no-arg multer() call which writes to os.tmpdir()) on an affected version 2.0.0-alpha.1 through 2.1.1 or 3.0.0-alpha.1, and that an upload route is reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All signals point to a credible but bounded availability risk rather than a critical compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker repeatedly opens multipart/form-data POST requests to a Multer diskStorage-backed upload endpoint and aborts each TCP connection mid-transfer after sending some payload bytes. Each aborted request leaves an orphan partial file on disk, and a parallelized loop quickly consumes the upload partition, causing write failures across the application until an operator manually clears the temp directory. … |
| Remediation | Vendor-released patch: upgrade to multer 2.2.0 on the 2.x line or 3.0.0-alpha.2 on the 3.x prerelease, both of which track in-flight write streams and clean them up on the abort path, per the GHSA-3p4h-7m6x-2hcm advisory (https://github.com/expressjs/multer/security/advisories/GHSA-3p4h-7m6x-2hcm) and OpenJS CNA notes (https://cna.openjsf.org/security-advisories.html). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all applications using affected Multer versions (2.0.0-alpha.1-2.1.1, 3.0.0-alpha.1) with diskStorage enabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Denial of service in Multer (Express.js multipart/form-data middleware) before version 2.1.1 allows remote unauthenticat
Denial of service in Multer (the Express/Node.js multipart/form-data middleware) before version 2.1.0 lets remote attack
Denial of service in Multer (Express.js multipart/form-data middleware) before version 2.1.0 lets remote unauthenticated
Denial of service in the Express.js multer middleware (versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1) allows unauthenti
Same weakness CWE-459 – Incomplete Cleanup
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36728
GHSA-3p4h-7m6x-2hcm