CVE-2026-5079

Vulnerability

Multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service (DoS) via deeply nested field names in multipart form data [1][2]. The append-field dependency parses bracket notation (e.g., a[b][c]) in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory.

Exploitation

An attacker can send a single HTTP request with a crafted multipart body containing field names with excessive nesting depth (e.g., a[0][1][2]...). No authentication or special privileges are required; the attack vector is over the network. The request triggers the append-field parser to recursively build nested objects, leading to high CPU and memory usage.

Impact

Successful exploitation results in Denial of Service (DoS), exhausting the server's CPU and memory resources. The service may become unresponsive or crash, affecting availability.

Mitigation

Users should upgrade to multer version 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth required by their application [2]. As a partial workaround, setting limits.fields to a reasonable value reduces the number of fields an attacker can send per request, but does not fully mitigate the issue [2].