216.73.216.226

CVE-2026-5079

· Published 15/06/2026 16:16 · Modified 16/06/2026 16:49 · Author: The MITRE Corporation

Labels: CVE-2026-5079 2026-06-15CVE-2026-5079CWE-400ce714d77-add3-4f53-aff5-83d477b104bb

Essential information

Published
15/06/2026 16:16
Modified
16/06/2026 16:49
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CWE-400
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS metrics

Description

Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires. Workarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.

NVD status

Status
Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source
ce714d77-add3-4f53-aff5-83d477b104bb
NVD
View on NVD

Affected products (CPE)

ProductCPE
expressjs / multer cpe:2.3:a:expressjs:multer:*:*:*:*:*:node.js:*:*
expressjs / multer cpe:2.3:a:expressjs:multer:3.0.0:alpha1:*:*:*:node.js:*:*

References