CVE-2026-5038
Received Received - Intake
Denial of Service in Multer via Aborted Uploads

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: openjs

Description
Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path. Workarounds: None.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-5038
EUVD
EUVD-2026-36728
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
multer multer From 2.0.0-alpha.1 (inc) to 2.2.0 (exc)
multer multer From 3.0.0-alpha.1 (inc) to 3.0.0-alpha.2 (exc)
multer multer 2.2.0
multer multer 3.0.0-alpha.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-459 The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5038 is a vulnerability in the Multer library, which is used for handling multipart/form-data in Node.js applications. The issue occurs when using the diskStorage option, where aborted or malformed multipart uploads leave orphaned partial files on disk.

This happens because the Readable.pipe() call does not propagate the stream destroy signal to the underlying file system write stream (fs.WriteStream), causing incomplete cleanup of partial files.

An attacker can exploit this by triggering many aborted uploads, which causes disk space to be exhausted without requiring any application bugs.

Impact Analysis

This vulnerability can lead to a Denial of Service (DoS) condition by exhausting the disk space on the server where the Multer library is used.

Since aborted or malformed uploads leave orphaned partial files, an attacker can fill up the disk by repeatedly triggering such uploads, potentially disrupting the availability of the affected application or service.

No special privileges or user interaction are required to exploit this vulnerability, making it easier for remote attackers to cause service disruption.

Detection Guidance

This vulnerability causes orphaned partial files to accumulate on disk due to aborted or malformed multipart uploads when using multer's diskStorage. Detection can involve monitoring disk usage for unusual growth and checking for leftover partial upload files in the storage directories used by multer.

Specific commands to detect this issue might include checking disk space usage and listing files in the upload directory to identify orphaned partial files.

  • Use disk space monitoring commands such as: df -h
  • List files in the upload directory to find orphaned partial files, for example: ls -l /path/to/multer/uploads
  • Use find to locate recently modified or partial files: find /path/to/multer/uploads -type f -mtime -1
Mitigation Strategies

The primary mitigation step is to upgrade multer to a fixed version that addresses this vulnerability.

  • Upgrade multer to version 2.2.0 or later in the 2.x line.
  • Alternatively, upgrade to version 3.0.0-alpha.2 or later in the 3.x prerelease line.

There are no known workarounds other than upgrading to a patched version.

Compliance Impact

This vulnerability causes a Denial of Service by exhausting disk space through orphaned partial files, impacting system availability.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the availability impact could indirectly affect compliance by disrupting service continuity or data processing operations.

There is no direct information provided about data confidentiality or integrity breaches, which are often critical for compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5038. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart