HIGH 7.5

GHSA-72gw-mp4g-v24j

Multer vulnerable to Denial of Service via deeply nested field names

Details

### Impact

Multer is vulnerable to a Denial of Service (DoS) via deeply nested field names in multipart form data. The `append-field` dependency parses bracket notation in field names (e.g., `a[b][c]`) with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.

### Patches

Users should upgrade to `2.2.0` and configure `limits.fieldNestingDepth` to the minimum depth their application requires.

### Workarounds

Set `limits.fields` to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / multer

Introduced in: 1.0.0 Fixed in: 2.2.0

Fix npm install multer@2.2.0

npm / multer

Introduced in: 3.0.0-alpha.1 Fixed in: 3.0.0-alpha.2

Fix npm install multer@3.0.0-alpha.2

References

https://github.com/expressjs/multer/security/advisories/GHSA-72gw-mp4g-v24j [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-5079 [ADVISORY]
https://cna.openjsf.org/security-advisories.html [WEB]
https://github.com/expressjs/multer [PACKAGE]