Skip to main content

Multer

5 CVEs product

Monthly

CVE-2026-5038 npm HIGH PATCH GHSA This Week

Denial of service in Multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 allows remote unauthenticated attackers to exhaust server disk space when the library is configured with diskStorage. Aborted or malformed multipart uploads leave orphaned partial files because stream destruction is not propagated to the underlying fs.WriteStream, enabling resource exhaustion at scale with no public exploit identified at time of analysis. EPSS probability is low at 0.25% but SSVC marks the issue automatable with partial technical impact.

Denial Of Service Multer
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-5079 npm HIGH PATCH GHSA This Week

Denial of service in the Express.js multer middleware (versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1) allows unauthenticated remote attackers to exhaust CPU and memory by sending a single multipart form request with deeply nested bracket-notation field names. The flaw lives in the append-field dependency, which parses nesting depth without any cap, so one crafted POST can degrade or crash Node.js services. No public exploit identified at time of analysis, but the issue is trivially reproducible against any default multer deployment exposed on the network.

Denial Of Service Multer
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-3520 npm HIGH PATCH This Week

Denial of service in Multer (Express.js multipart/form-data middleware) before version 2.1.1 allows remote unauthenticated attackers to crash a Node.js application by sending specially malformed multipart requests that trigger uncontrolled recursion and stack overflow. Affecting one of the most widely used file-upload middlewares in the Node.js/Express ecosystem, the flaw carries a CVSS 4.0 base score of 8.7 with availability-only impact. There is no public exploit identified at time of analysis and the EPSS score is very low (0.06%, 18th percentile), but a vendor patch and Red Hat errata are available.

Denial Of Service Node.js Multer
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-3304 npm HIGH PATCH This Week

Denial of service in Multer (the Express/Node.js multipart/form-data middleware) before version 2.1.0 lets remote attackers exhaust server resources by submitting malformed multipart requests, crashing or hanging the upload-handling process. The flaw scores CVSS 4.0 8.7 with an availability-only impact and requires no authentication or user interaction; no public exploit has been identified at time of analysis and EPSS rates near-term exploitation probability very low (0.06%, 17th percentile). A vendor patch (2.1.0) is available and Red Hat has shipped errata, but no workaround exists.

Denial Of Service Node.js Multer
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-2359 npm HIGH PATCH This Week

Denial of service in Multer (Express.js multipart/form-data middleware) before version 2.1.0 lets remote unauthenticated attackers exhaust server resources by abruptly dropping the connection mid file-upload, leaving allocated resources unreleased. The flaw maps to CWE-772 (missing release of resource) and carries a CVSS 4.0 base score of 8.7 driven entirely by availability impact. There is no public exploit identified at time of analysis and the EPSS probability is very low (0.06%), but a fixed release (2.1.0) is available and no workarounds exist.

Denial Of Service Node.js File Upload Multer
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 allows remote unauthenticated attackers to exhaust server disk space when the library is configured with diskStorage. Aborted or malformed multipart uploads leave orphaned partial files because stream destruction is not propagated to the underlying fs.WriteStream, enabling resource exhaustion at scale with no public exploit identified at time of analysis. EPSS probability is low at 0.25% but SSVC marks the issue automatable with partial technical impact.

Denial Of Service Multer
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Express.js multer middleware (versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1) allows unauthenticated remote attackers to exhaust CPU and memory by sending a single multipart form request with deeply nested bracket-notation field names. The flaw lives in the append-field dependency, which parses nesting depth without any cap, so one crafted POST can degrade or crash Node.js services. No public exploit identified at time of analysis, but the issue is trivially reproducible against any default multer deployment exposed on the network.

Denial Of Service Multer
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Multer (Express.js multipart/form-data middleware) before version 2.1.1 allows remote unauthenticated attackers to crash a Node.js application by sending specially malformed multipart requests that trigger uncontrolled recursion and stack overflow. Affecting one of the most widely used file-upload middlewares in the Node.js/Express ecosystem, the flaw carries a CVSS 4.0 base score of 8.7 with availability-only impact. There is no public exploit identified at time of analysis and the EPSS score is very low (0.06%, 18th percentile), but a vendor patch and Red Hat errata are available.

Denial Of Service Node.js Multer
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Multer (the Express/Node.js multipart/form-data middleware) before version 2.1.0 lets remote attackers exhaust server resources by submitting malformed multipart requests, crashing or hanging the upload-handling process. The flaw scores CVSS 4.0 8.7 with an availability-only impact and requires no authentication or user interaction; no public exploit has been identified at time of analysis and EPSS rates near-term exploitation probability very low (0.06%, 17th percentile). A vendor patch (2.1.0) is available and Red Hat has shipped errata, but no workaround exists.

Denial Of Service Node.js Multer
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Multer (Express.js multipart/form-data middleware) before version 2.1.0 lets remote unauthenticated attackers exhaust server resources by abruptly dropping the connection mid file-upload, leaving allocated resources unreleased. The flaw maps to CWE-772 (missing release of resource) and carries a CVSS 4.0 base score of 8.7 driven entirely by availability impact. There is no public exploit identified at time of analysis and the EPSS probability is very low (0.06%), but a fixed release (2.1.0) is available and no workarounds exist.

Denial Of Service Node.js File Upload +1
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy