GHSA-3p4h-7m6x-2hcmMediumCVSS 5.3

Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads

Published
June 17, 2026
Last Modified
June 17, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

A vulnerability in Multer allows an attacker to trigger a Denial of Service (DoS) by aborting or sending malformed multipart uploads, causing orphaned partial files to accumulate on disk when using diskStorage.

Patches

Users should upgrade to 2.2.0, 3.0.0-alpha.2 or higher

Workarounds

None

🎯 Affected products2

  • npm/multer:>= 2.0.0-alpha.1, < 2.2.0
  • npm/multer:>= 3.0.0-alpha.1, < 3.0.0-alpha.2

🔗 References (4)