Denial of Service Vulnerability in Multer Disk Storage by Express.js
CVE-2026-5038

5.3MEDIUM

Key Information:

Vendor: Multer
Status: Multer
Vendor: CVE Published:; 15 June 2026

What is CVE-2026-5038?

Multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 face a Denial of Service vulnerability in disk storage configurations. This issue enables attackers to exploit aborted or malformed multipart uploads, resulting in orphaned partial files on disk. The underlying problem lies in the Readable.pipe() mechanism, which fails to propagate the stream destroy signal to the associated fs.WriteStream. Consequently, attackers can potentially deplete server disk space without any bugs in the application code. To mitigate this issue, users are urged to upgrade to Multer 2.2.0 or 3.0.0-alpha.2 which feature enhanced management of in-flight write streams.

Affected Version(s)

multer 2.0.0-alpha.1 < 2.2.0

multer 3.0.0-alpha.1 < 3.0.0-alpha.2

multer 2.2.0

References

https://github.com/expressjs/multer/security/advisories/G...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
Mar 27, 2026

Credit

yuki-matsuhashi

HamdaanAliQuatil

fasrm

UlisesGascon

bjohansebas

0xStraw-Hat

bhaswanthc

ByamB4

sbouabid-sec

DavidCarliez

JebeenLee

CVE-2026-5038 Data

JSON