{"vulnerability": "cve-2026-5038", "sightings": [{"uuid": "46401b53-afbe-4818-b1c6-c5446752f033", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5038", "type": "seen", "source": "https://bsky.app/profile/ulisesgascon.com/post/3modiqffra227", "content": "\ud83d\udea8 Medium-severity security fix in multer@2.2.0 and multer@3.0.0-alpha.2 just released!\n\nPatches CVE-2026-5038. multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads.\n\ngithub.com/expressjs/mu...", "creation_timestamp": "2026-06-15T14:30:59.988394Z"}, {"uuid": "0bf17dac-63b3-4f46-9124-464cbcb5dd58", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5038", "type": "seen", "source": "https://gist.github.com/alon710/5e84b244224c89ffba5a0429bff51a5c", "content": "# CVE-2026-5038: CVE-2026-5038: Denial of Service via Incomplete File Cleanup in Multer diskStorage Engine\n\n&gt; **CVSS Score:** 5.3\n&gt; **Published:** 2026-06-17\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-5038\n\n## Summary\nCVE-2026-5038 is a critical denial of service vulnerability in the Node.js Multer middleware. When utilizing the diskStorage engine, connection termination or validation failures leave partial files orphaned on the local filesystem due to stream-destruction signal propagation failures in Node's piping mechanism. Remote unauthenticated attackers can exploit this to fill server disks and induce system crashes.\n\n## TL;DR\nUnauthenticated remote attackers can exhaust server disk space and cause Denial of Service by initiating and aborting file uploads in Multer's diskStorage engine, leaving un-tracked, orphaned temporary files on the disk.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-459 (Incomplete Cleanup)\n- **Attack Vector**: Network (AV:N)\n- **Attack Complexity**: Low (AC:L)\n- **EPSS Score**: 0.00278 (19.40th Percentile)\n- **Exploit Status**: Proof-of-Concept Available\n- **CISA KEV Status**: Not Listed\n- **Impact Class**: Denial of Service (DoS)\n\n## Affected Systems\n\n- Node.js web servers utilizing Multer with diskStorage configuration\n- **multer**: &gt;= 2.0.0-alpha.1, &lt; 2.2.0 (Fixed in: `2.2.0`)\n- **multer**: &gt;= 3.0.0-alpha.1, &lt; 3.0.0-alpha.2 (Fixed in: `3.0.0-alpha.2`)\n\n## Mitigation\n\n- Upgrade Multer dependencies to fixed versions\n- Apply directory-level disk partition quotas\n- Configure upstream request body restrictions\n- Establish routine filesystem purges for temporary paths\n\n**Remediation Steps:**\n1. Analyze dependency tree to locate instances of Multer below version 2.2.0 or 3.0.0-alpha.2.\n2. Execute 'npm install multer@2.2.0' or update package configuration manifests accordingly.\n3. Re-configure NGINX upstream using the 'client_max_body_size' directive to restrict unvetted payload transfer sizes.\n4. Schedule system cron tasks to sweep and purge unlinked files inside the storage directory older than three hours.\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-5038) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-17T20:11:38.000000Z"}]}