CVE-2026-5038

Source
https://cve.org/CVERecord?id=CVE-2026-5038
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5038.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-5038
Aliases
Downstream
Published
2026-06-15T14:23:24.230Z
Modified
2026-07-16T03:48:36.615297860Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads
Details

Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.

Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.

Workarounds: None.

Database specific
{
    "cwe_ids": [
        "CWE-459"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/5xxx/CVE-2026-5038.json",
    "cna_assigner": "openjs"
}
References

Affected packages

Git / github.com/expressjs/multer

Affected ranges

Type
GIT
Repo
https://github.com/expressjs/multer
Events
Database specific
{
    "cpe": "cpe:2.3:a:expressjs:multer:*:*:*:*:*:node.js:*:*",
    "extracted_events": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.2.0"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

v2.*
v2.0.0
v2.0.1
v2.0.2
v2.1.0
v2.1.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5038.json"