Description
Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to
the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.

Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.

Workarounds: None.
Published: 2026-06-15
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Express.js multer library causes partial files from aborted or malformed multipart uploads to remain on disk when diskStorage is used. The Readable.pipe() call does not forward the stream destroy signal to the underlying fs.WriteStream, leaving orphaned data files. An attacker can repeatedly trigger failed uploads, quickly consuming disk space and bringing the application to a halt, which is a classic Resource Exhaustion vulnerability (CWE‑459).

Affected Systems

The vulnerability affects Express.js multer versions 2.0.0‑alpha.1 through 2.1.1 and 3.0.0‑alpha.1. All deployments that use multer’s diskStorage configuration in these or earlier releases are susceptible. This includes any Node.js web application that accepts file uploads via multer for any HTTP route.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, via HTTP multipart form uploads, because an attacker can trigger the condition by sending aborted uploads to any endpoint that uses multer diskStorage. No additional application bug is required—just a large volume of aborted uploads to exhaust disk space.

Generated by OpenCVE AI on June 18, 2026 at 01:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade multer to version 2.2.0 or newer on the 2.x line, or to 3.0.0‑alpha.2 if using the prerelease line, as these releases add stream tracking and cleanup on abort.
  • Implement monitoring of disk usage and abnormal file growth so that potential DoS attempts can be detected early and mitigated before critical disk exhaustion occurs.
  • Configure the application to limit file upload size or number of concurrent uploads, or switch to memoryStorage for untrusted uploads, to reduce the resource impact of an attack.

Generated by OpenCVE AI on June 18, 2026 at 01:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3p4h-7m6x-2hcm Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads
History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Multer
Multer multer
Vendors & Products Multer
Multer multer

Tue, 16 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Expressjs
Expressjs multer
CPEs cpe:2.3:a:expressjs:multer:*:*:*:*:*:node.js:*:*
cpe:2.3:a:expressjs:multer:3.0.0:alpha1:*:*:*:node.js:*:*
Vendors & Products Expressjs
Expressjs multer

Mon, 15 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path. Workarounds: None.
Title multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads
Weaknesses CWE-459
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-06-15T16:07:45.114Z

Reserved: 2026-03-27T16:26:09.638Z

Link: CVE-2026-5038

cve-icon Vulnrichment

Updated: 2026-06-15T16:07:33.955Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-15T16:16:34.423

Modified: 2026-06-16T16:59:41.270

Link: CVE-2026-5038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:08:57Z

Weaknesses