Description
Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.

Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires.

Workarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malformed multipart/form-data request with deeply nested field names can cause the multer library to allocate arbitrarily deep object structures, draining CPU and memory. This creation of large nested objects leads to a denial of service for the web application. The weakness is a resource exhaustion flaw, lacking any authentication bypass or integrity compromise, and is identified as CWE‑400.

Affected Systems

The vulnerability affects the Node.js middleware Multer, commonly used in Express applications. All released versions from 1.0.0 through 2.1.1 inclusive, as well as the pre‑release 3.0.0‑alpha.1, are impacted. Applications that incorporate these packages without patching are potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, and the lack of an EPSS value means the exploitation probability is not quantified in the public data, though the attack can be carried out with a single crafted HTTP request. The vulnerability is not listed in the CISA KEV catalog at this time. An attacker only needs the ability to send a multipart request; no privileged credentials or additional access is required, making the threat very likely for exposed endpoints that process uploads.

Generated by OpenCVE AI on June 16, 2026 at 02:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Multer to the officially released 2.2.0 version of the 2.x line or to 3.0.0‑alpha.2 for the 3.x pre‑release, as advised by the vendor.
  • Configure the limits.fieldNestingDepth option in the Multer configuration to the minimal depth your application requires; this limits the allowed nesting of field names.
  • As a temporary measure, set the limits.fields option to a reasonable value to reduce the number of fields an attacker can send per request, thereby limiting the potential impact of the exploit.

Generated by OpenCVE AI on June 16, 2026 at 02:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Expressjs
Expressjs multer
CPEs cpe:2.3:a:expressjs:multer:*:*:*:*:*:node.js:*:*
cpe:2.3:a:expressjs:multer:3.0.0:alpha1:*:*:*:node.js:*:*
Vendors & Products Expressjs
Expressjs multer

Mon, 15 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires. Workarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.
Title multer vulnerable to Denial of Service via deeply nested field names
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Expressjs Multer
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-06-15T16:00:43.955Z

Reserved: 2026-03-28T19:04:56.443Z

Link: CVE-2026-5079

cve-icon Vulnrichment

Updated: 2026-06-15T16:00:37.960Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-15T14:16:37.293

Modified: 2026-06-16T16:49:34.057

Link: CVE-2026-5079

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T02:30:14Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption