CVE-2026-5038

5.3 MEDIUM

Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage

Published: 2026-06-15 · Last updated: 2026-06-16

Severity and scoring

CVSS: 5.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-459

Affected products

Vendor	Product
expressjs	multer

Description

Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path. Workarounds: None.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-5038
[Vendor advisory]https://cna.openjsf.org/security-advisories.html
[Vendor advisory]https://github.com/expressjs/multer/security/advisories/GHSA-3p4h-7m6x-2hcm

Related CVEs

Same vendor

CVE-2026-5079 — Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in mult... (7.5 HIGH)

Same CWE

CVE-2026-53867 — Capgo before 12.128.2 fails to delete previously uploaded profile images from backend storage when users replace or remove them (4.3 MEDIUM)
CVE-2026-33232 — AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents (7.5 HIGH)
CVE-2026-43395 — In the Linux kernel, the following vulnerability has been resolved: drm/xe/sync: Cleanup partially initialized sync on parse failure xe... (5.5 MEDIUM)