MEDIUM 5.3

GHSA-3p4h-7m6x-2hcm

Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads

Details

### Impact

A vulnerability in Multer allows an attacker to trigger a Denial of Service (DoS) by aborting or sending malformed multipart uploads, causing orphaned partial files to accumulate on disk when using diskStorage.

### Patches

Users should upgrade to `2.2.0`, `3.0.0-alpha.2` or higher

### Workarounds

None

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / multer

Introduced in: 2.0.0-alpha.1 Fixed in: 2.2.0

Fix npm install multer@2.2.0

npm / multer

Introduced in: 3.0.0-alpha.1 Fixed in: 3.0.0-alpha.2

Fix npm install multer@3.0.0-alpha.2

References

https://github.com/expressjs/multer/security/advisories/GHSA-3p4h-7m6x-2hcm [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-5038 [ADVISORY]
https://cna.openjsf.org/security-advisories.html [WEB]
https://github.com/expressjs/multer [PACKAGE]