Impact
A flaw in the Express.js multer library causes partial files from aborted or malformed multipart uploads to remain on disk when diskStorage is used. The Readable.pipe() call does not forward the stream destroy signal to the underlying fs.WriteStream, leaving orphaned data files. An attacker can repeatedly trigger failed uploads, quickly consuming disk space and bringing the application to a halt, which is a classic Resource Exhaustion vulnerability (CWE‑459).
Affected Systems
The vulnerability affects Express.js multer versions 2.0.0‑alpha.1 through 2.1.1 and 3.0.0‑alpha.1. All deployments that use multer’s diskStorage configuration in these or earlier releases are susceptible. This includes any Node.js web application that accepts file uploads via multer for any HTTP route.
Risk and Exploitability
The CVSS base score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, via HTTP multipart form uploads, because an attacker can trigger the condition by sending aborted uploads to any endpoint that uses multer diskStorage. No additional application bug is required—just a large volume of aborted uploads to exhaust disk space.
OpenCVE Enrichment
Github GHSA