CVE-2026-5038 (GCVE-0-2026-5038)

Vulnerability from cvelistv5 – Published: 2026-06-15 14:23 – Updated: 2026-06-15 16:07
VLAI
Title
multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads
Summary
Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required. Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path. Workarounds: None.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
multer multer Affected: 2.0.0-alpha.1 , < 2.2.0 (semver)
Unaffected: 2.2.0 (semver)
Affected: 3.0.0-alpha.1 , < 3.0.0-alpha.2 (semver)
Unaffected: 3.0.0-alpha.2 (semver)
Create a notification for this product.
Credits
yuki-matsuhashi HamdaanAliQuatil fasrm UlisesGascon bjohansebas 0xStraw-Hat bhaswanthc ByamB4 sbouabid-sec DavidCarliez JebeenLee
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5038",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T16:07:25.876003Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T16:07:45.114Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/multer",
          "product": "multer",
          "vendor": "multer",
          "versions": [
            {
              "lessThan": "2.2.0",
              "status": "affected",
              "version": "2.0.0-alpha.1",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "2.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "3.0.0-alpha.2",
              "status": "affected",
              "version": "3.0.0-alpha.1",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "3.0.0-alpha.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "yuki-matsuhashi"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "HamdaanAliQuatil"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "fasrm"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "UlisesGascon"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "bjohansebas"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "0xStraw-Hat"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "bhaswanthc"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "ByamB4"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "sbouabid-sec"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "DavidCarliez"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "JebeenLee"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to \nthe underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.\n\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.\n\nWorkarounds: None."
            }
          ],
          "value": "Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to \nthe underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.\n\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.\n\nWorkarounds: None."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-459",
              "description": "CWE-459: Incomplete Cleanup",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T14:23:24.230Z",
        "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "shortName": "openjs"
      },
      "references": [
        {
          "url": "https://github.com/expressjs/multer/security/advisories/GHSA-3p4h-7m6x-2hcm"
        },
        {
          "url": "https://cna.openjsf.org/security-advisories.html"
        }
      ],
      "title": "multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads",
      "x_generator": {
        "engine": "cve-kit 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
    "assignerShortName": "openjs",
    "cveId": "CVE-2026-5038",
    "datePublished": "2026-06-15T14:23:24.230Z",
    "dateReserved": "2026-03-27T16:26:09.638Z",
    "dateUpdated": "2026-06-15T16:07:45.114Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-5038",
      "date": "2026-07-01",
      "epss": "0.00278",
      "percentile": "0.19664"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-5038\",\"sourceIdentifier\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"published\":\"2026-06-15T16:16:34.423\",\"lastModified\":\"2026-06-17T10:58:19.450\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to \\nthe underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.\\n\\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.\\n\\nWorkarounds: None.\"}],\"affected\":[{\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"affectedData\":[{\"vendor\":\"multer\",\"product\":\"multer\",\"defaultStatus\":\"unaffected\",\"packageURL\":\"pkg:npm/multer\",\"versions\":[{\"version\":\"2.0.0-alpha.1\",\"lessThan\":\"2.2.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"2.2.0\",\"versionType\":\"semver\",\"status\":\"unaffected\"},{\"version\":\"3.0.0-alpha.1\",\"lessThan\":\"3.0.0-alpha.2\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"3.0.0-alpha.2\",\"versionType\":\"semver\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-15T16:07:25.876003Z\",\"id\":\"CVE-2026-5038\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-459\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:expressjs:multer:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.2.0\",\"matchCriteriaId\":\"C3EF2173-8BF7-4B19-9C8F-405232ED2698\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:expressjs:multer:3.0.0:alpha1:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"F23451DE-A7F1-46E8-9023-CA415ED56050\"}]}]}],\"references\":[{\"url\":\"https://cna.openjsf.org/security-advisories.html\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/expressjs/multer/security/advisories/GHSA-3p4h-7m6x-2hcm\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-5038\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-15T16:07:25.876003Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-15T16:07:33.955Z\"}}], \"cna\": {\"title\": \"multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads\", \"credits\": [{\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"yuki-matsuhashi\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"HamdaanAliQuatil\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"fasrm\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"UlisesGascon\"}, {\"lang\": \"en\", \"type\": \"remediation reviewer\", \"value\": \"bjohansebas\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"0xStraw-Hat\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"bhaswanthc\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"ByamB4\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"sbouabid-sec\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"DavidCarliez\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"JebeenLee\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"multer\", \"product\": \"multer\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0.0-alpha.1\", \"lessThan\": \"2.2.0\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"2.2.0\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"3.0.0-alpha.1\", \"lessThan\": \"3.0.0-alpha.2\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"3.0.0-alpha.2\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:npm/multer\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/expressjs/multer/security/advisories/GHSA-3p4h-7m6x-2hcm\"}, {\"url\": \"https://cna.openjsf.org/security-advisories.html\"}], \"x_generator\": {\"engine\": \"cve-kit 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to \\nthe underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.\\n\\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.\\n\\nWorkarounds: None.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to \\nthe underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.\\n\\nPatches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.\\n\\nWorkarounds: None.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-459\", \"description\": \"CWE-459: Incomplete Cleanup\"}]}], \"providerMetadata\": {\"orgId\": \"ce714d77-add3-4f53-aff5-83d477b104bb\", \"shortName\": \"openjs\", \"dateUpdated\": \"2026-06-15T14:23:24.230Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-5038\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-15T16:07:45.114Z\", \"dateReserved\": \"2026-03-27T16:26:09.638Z\", \"assignerOrgId\": \"ce714d77-add3-4f53-aff5-83d477b104bb\", \"datePublished\": \"2026-06-15T14:23:24.230Z\", \"assignerShortName\": \"openjs\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…