GHSA-72gw-mp4g-v24jHighCVSS 7.5
Multer vulnerable to Denial of Service via deeply nested field names
🔗 CVE IDs covered (1)
📋 Description
Impact
Multer is vulnerable to a Denial of Service (DoS) via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names (e.g., a[b][c]) with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.
Patches
Users should upgrade to 2.2.0 and configure limits.fieldNestingDepth to the minimum depth their application requires.
Workarounds
Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.
🎯 Affected products2
- npm/multer:>= 1.0.0, < 2.2.0
- npm/multer:>= 3.0.0-alpha.1, < 3.0.0-alpha.2