CVE-2026-5038

MEDIUM 5.3

multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path. Workarounds: None.

CWE	CWE-459
Vendor	multer
Product	multer
Published	Jun 15, 2026

Stay Ahead of the Next One

Get instant alerts for multer multer

Be the first to know when new medium vulnerabilities affecting multer multer are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

multer / multer

2.0.0-alpha.1 < 2.2.0 3.0.0-alpha.1 < 3.0.0-alpha.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/expressjs/multer/security/advisories/GHSA-3p4h-7m6x-2hcm cna.openjsf.org: https://cna.openjsf.org/security-advisories.html

Credits

yuki-matsuhashi HamdaanAliQuatil fasrm UlisesGascon bjohansebas 0xStraw-Hat bhaswanthc ByamB4 sbouabid-sec DavidCarliez JebeenLee