PatchSiren cyber security CVE debrief
CVE-2026-5079 multer CVE debrief
CVE-2026-5079 is a HIGH severity vulnerability in multer, a popular Node.js middleware for handling multipart/form-data. The vulnerability allows an attacker to cause a Denial of Service (DoS) by sending a single HTTP request with a crafted multipart body containing deeply nested field names. This causes the append-field dependency to allocate deeply nested object structures, consuming excessive CPU and memory.
- Vendor
- multer
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Developers and administrators using multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 should be aware of this vulnerability and take immediate action to mitigate it.
Technical summary
The vulnerability is caused by the append-field dependency's lack of limit on nesting depth when parsing bracket notation in field names. This allows an attacker to force allocation of deeply nested object structures that consume CPU and memory.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth your application requires.
- Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.
Evidence notes
The CVE record and NVD detail pages provide official information about this vulnerability.
Official resources
-
CVE-2026-5079 CVE record
CVE.org
-
CVE-2026-5079 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ce714d77-add3-4f53-aff5-83d477b104bb
-
Source reference
ce714d77-add3-4f53-aff5-83d477b104bb
CVE-2026-5079 was published on 2026-06-15T14:16:37.293Z and has not been modified since then.