Multer is vulnerable to a Denial of Service (DoS) via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names (e.g., a[b][c]) with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.
Users should upgrade to 2.2.0 and configure limits.fieldNestingDepth to the minimum depth their application requires.
Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.
{
"github_reviewed_at": "2026-06-17T18:12:27Z",
"nvd_published_at": "2026-06-15T14:16:37Z",
"github_reviewed": true,
"cwe_ids": [
"CWE-400"
],
"severity": "HIGH"
}