CVE-2026-5038 | Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.… | CVSS 5.3 MEDIUM

Description

Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path. Workarounds: None.

Metadata

CVE ID: CVE-2026-5038
State: PUBLISHED
Assigner: openjs
Reserved: 2026-03-27 16:26 UTC
Published: 2026-06-15 14:23 UTC
Last updated: 2026-06-15 16:07 UTC
Primary CWE: CWE-459
CWE-459: Incomplete Cleanup
Vendor / Product: multer / multer
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
multer	multer	—	2.0.0-alpha.1 < 2.2.0, 2.2.0, 3.0.0-alpha.1 < 3.0.0-alpha.2, 3.0.0-alpha.2

Weakness (CWE)

CWE	Source	Description
CWE-459	cna	CWE-459: Incomplete Cleanup

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (2)