Denial of Service Vulnerability in multer by Express.js
CVE-2026-5079

7.5HIGH

Key Information:

Vendor: Multer
Status: Multer
Vendor: CVE Published:; 15 June 2026

What is CVE-2026-5079?

The multer library, used for handling multipart form data in Node.js applications, is susceptible to a Denial of Service vulnerability. Attackers can exploit this by sending a malicious multipart body that contains deeply nested field names, leading to excessive CPU and memory usage. This occurs due to the append-field dependency's lack of limits on the depth of nesting, allowing extensive object structures to be allocated. To mitigate this issue, users should upgrade to multer version 2.2.0 or 3.0.0-alpha.2 and implement the new limits.fieldNestingDepth configuration to control nesting depth. Additionally, setting limits.fields can help restrict the number of fields processed per request.

Affected Version(s)

multer 1.0.0 < 2.2.0

multer 3.0.0-alpha.1 < 3.0.0-alpha.2

multer 2.2.0

References

https://github.com/expressjs/multer/security/advisories/G...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 15, 2026
Vulnerability Reserved
Mar 28, 2026

Credit

tndud042713

UlisesGascon

CVE-2026-5079 Data

JSON

Multer

What is CVE-2026-5079?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit