GHSA-72gw-mp4g-v24jHighCVSS 7.5

Multer vulnerable to Denial of Service via deeply nested field names

Published
June 17, 2026
Last Modified
June 17, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

Multer is vulnerable to a Denial of Service (DoS) via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names (e.g., a[b][c]) with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.

Patches

Users should upgrade to 2.2.0 and configure limits.fieldNestingDepth to the minimum depth their application requires.

Workarounds

Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.

🎯 Affected products2

  • npm/multer:>= 1.0.0, < 2.2.0
  • npm/multer:>= 3.0.0-alpha.1, < 3.0.0-alpha.2

🔗 References (4)