CVE-2026-5038

Vulnerability

Multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a denial of service when using diskStorage. The Readable.pipe() call does not propagate the stream destroy signal to the underlying fs.WriteStream, causing aborted or malformed multipart uploads to leave orphaned partial files on disk [1][2]. No special configuration is required beyond the use of diskStorage.

Exploitation

An attacker with network access to the application can send a multipart upload request and abort it before completion, or send a malformed request that triggers an early abort. By repeating this process, the attacker can accumulate many orphaned partial files, exhausting available disk space. No authentication or user interaction is required [2].

Impact

Successful exploitation leads to disk space exhaustion, resulting in a denial of service (DoS) as the application may be unable to write new files or function properly. The attack affects availability only; confidentiality and integrity are not compromised [1][2].

Mitigation

Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease), both of which track in-flight write streams and clean them up on the abort path [1][2]. No workarounds are available.