HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-5079Published Modified CNA openjs

CVE-2026-5079: multer vulnerable to Denial of Service via deeply nested field names

Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires. Workarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
2.2.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in the multer Node.js middleware, which handles multipart form data uploads. The flaw is reachable over the network with no authentication required: a single crafted HTTP request containing a multipart body with deeply nested bracket-notation field names forces the server to allocate deeply nested object structures, exhausting CPU and memory. Successful exploitation crashes or severely degrades the affected service. Patched-image rebuilds at multer 2.2.0 and 3.0.0-alpha.2 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-5079 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of its publication, including custom-built images that bundle multer as a dependency. HarborGuard ingests from upstream advisory feeds (including the OpenJS CNA) and is capable of identifying affected multer versions in the 1.0.0-2.1.1 and 3.0.0-alpha.1 ranges present in any scanned registry or CI pipeline.

Available
Triage

Triage is available with the CVSS v3.1 score of 7.5 (HIGH) applied automatically, weighted further by each customer organization's per-environment compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at multer 2.2.0 (for the 2.x line) or 3.0.0-alpha.2 (for the 3.x prerelease line) becomes available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the target service over the network; the vulnerable multipart parsing is triggered by a standard HTTP request sent to any exposed endpoint using multer.

  • AuthenticationNot required

    No account or credential is needed; the malicious multipart request can be submitted by any unauthenticated HTTP client.

  • Victim interactionNot required

    No user action is required; the attacker sends a single crafted request directly to the server without any social-engineering step.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and condition-free; no race conditions, memory layout knowledge, or other environmental factors are needed to trigger the vulnerability.

Blast Radius

  • Crashes or severely degrades the targeted Node.js service by exhausting available CPU and memory through deeply nested object allocation.
  • A single HTTP request is sufficient to trigger the impact, making repeated or distributed attacks trivial.
  • All endpoints in the application that use multer for multipart form parsing are exposed, not just dedicated file-upload routes.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE fires against any image containing multer 1.0.0-2.1.1 or 3.0.0-alpha.1 within minutes of the advisory being ingested. For environments with auto-remediation enabled, HarborGuard can rebuild the image at multer 2.2.0 (or 3.0.0-alpha.2 for prerelease tracks), run regression tests, and open a pull request against affected workloads. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a prioritized finding card are queued for engineer review. Regardless of auto-remediation setting, HarborGuard surfaces the upstream workaround guidance: setting limits.fields to a conservative value reduces the number of fields an attacker can submit per request, partially limiting impact until the version upgrade is applied. Customers should also configure the new limits.fieldNestingDepth option after upgrading to cap nesting at the minimum depth their application requires.

See how HarborGuard automates this

Fix available

2.2.03.0.0-alpha.2
Affected packages
  • multer / multer
    < 2.2.0 (from 1.0.0) · < 3.0.0-alpha.2 (from 3.0.0-alpha.1)
    Fixed in 2.2.0, 3.0.0-alpha.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References