CVE-2026-5079
Received Received - Intake
Denial of Service in Multer via Deeply Nested Field Names

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: openjs

Description
Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires. Workarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-5079
EUVD
EUVD-2026-36726
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
expressjs multer 1.0.0
expressjs multer 2.1.1
expressjs multer From 2.2.0 (inc)
expressjs multer 3.0.0-alpha.1
expressjs multer From 3.0.0-alpha.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1. It is a Denial of Service (DoS) vulnerability caused by the append-field dependency parsing deeply nested field names in multipart form data without any limit on nesting depth.

An attacker can craft a single HTTP request with a multipart body containing deeply nested field names (using bracket notation like a[b][c]) to force the server to allocate large, deeply nested object structures. This consumes excessive CPU and memory resources, potentially causing the server to become unresponsive.

Impact Analysis

The primary impact of this vulnerability is a Denial of Service (DoS) condition. By sending a single malicious HTTP request with deeply nested multipart form data, an attacker can exhaust server CPU and memory resources.

This can lead to server slowdowns, crashes, or unavailability, disrupting normal service and potentially affecting all users relying on the affected application.

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests containing multipart form data with deeply nested field names using bracket notation (e.g., a[b][c][d]...). Such requests may cause excessive CPU and memory usage.

To detect potential exploitation attempts, you can analyze HTTP traffic logs or use network monitoring tools to identify unusually large or deeply nested multipart form data fields.

Specific commands are not provided in the available information, but inspecting HTTP request payloads for deeply nested field names or abnormal resource consumption patterns can help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include upgrading multer to version 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease), which contain patches for this vulnerability.

Additionally, configure the new limits.fieldNestingDepth option to the minimum nesting depth required by your application to limit the impact of deeply nested field names.

As a workaround, set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request, although this does not fully mitigate the issue.

Compliance Impact

The vulnerability in multer allows a Denial of Service (DoS) attack by exhausting CPU and memory resources through deeply nested field names in multipart form data.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, a DoS vulnerability can impact the availability of services, which is a factor in regulatory compliance related to system reliability and availability.

However, there is no direct information provided about how this vulnerability specifically affects compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5079. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart