GHSA-72gw-mp4g-v24j

Suggest an improvement
Source
https://github.com/advisories/GHSA-72gw-mp4g-v24j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-72gw-mp4g-v24j/GHSA-72gw-mp4g-v24j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-72gw-mp4g-v24j
Aliases
  • CVE-2026-5079
Downstream
Published
2026-06-17T18:12:27Z
Modified
2026-06-17T18:15:11.245203508Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Multer vulnerable to Denial of Service via deeply nested field names
Details

Impact

Multer is vulnerable to a Denial of Service (DoS) via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names (e.g., a[b][c]) with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.

Patches

Users should upgrade to 2.2.0 and configure limits.fieldNestingDepth to the minimum depth their application requires.

Workarounds

Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.

Database specific
{
    "github_reviewed_at": "2026-06-17T18:12:27Z",
    "nvd_published_at": "2026-06-15T14:16:37Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "HIGH"
}
References

Affected packages

npm / multer

Package

Affected ranges

Type
SEMVER
Events
Introduced
1.0.0
Fixed
2.2.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-72gw-mp4g-v24j/GHSA-72gw-mp4g-v24j.json"

npm / multer

Package

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0-alpha.1
Fixed
3.0.0-alpha.2

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-72gw-mp4g-v24j/GHSA-72gw-mp4g-v24j.json"