PatchSiren cyber security CVE debrief
CVE-2026-5038 multer CVE debrief
CVE-2026-5038 is a Denial of Service vulnerability affecting multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1. The vulnerability occurs when using diskStorage, where aborted or malformed multipart uploads leave orphaned partial files on disk. This happens because the Readable.pipe() call does not propagate the stream destroy signal to the underlying fs.WriteStream. An attacker can exploit this by triggering many aborted uploads, leading to disk space exhaustion, without requiring any application bug.
- Vendor
- multer
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 should be aware of this vulnerability and take necessary actions to mitigate it.
Technical summary
The vulnerability has a CVSS score of 5.3 and is classified as MEDIUM severity. It can be exploited by an attacker to cause a Denial of Service by exhausting disk space through triggered aborted uploads.
Defensive priority
High
Recommended defensive actions
- Upgrade to multer version 2.2.0 (for 2.x line) or 3.0.0-alpha.2 (for 3.x prerelease) as these versions track in-flight write streams and clean them up on the abort path.
Evidence notes
The CVE record was published on June 15, 2026, and has not been modified since then. The vulnerability was reported by an unknown vendor, and Openjsf is listed as a candidate for the reference domain.
Official resources
-
CVE-2026-5038 CVE record
CVE.org
-
CVE-2026-5038 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ce714d77-add3-4f53-aff5-83d477b104bb
-
Source reference
ce714d77-add3-4f53-aff5-83d477b104bb
CVE-2026-5038 was published on 2026-06-15T16:16:34.423Z.