CVE-2026-5079

Description

### Impact Multer is vulnerable to a Denial of Service (DoS) via deeply nested field names in multipart form data. The `append-field` dependency parses bracket notation in field names (e.g., `a[b][c]`) with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this. ### Patches Users should upgrade to `2.2.0` and configure `limits.fieldNestingDepth` to the minimum depth their application requires. ### Workarounds Set `limits.fields` to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.

How to fix CVE-2026-5079

To remediate CVE-2026-5079, upgrade the affected package to a fixed version below.

• —upgrade to 2.2.0 or later

Is CVE-2026-5079 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-5079.

Affected packages (1)

• >= 1.0.0, < 2.2.0

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-5079
• PATCHgithub.com/expressjs/multer
• WEBcna.openjsf.org/security-advisories.html
• WEBgithub.com/expressjs/multer/security/advisories/GHSA-72gw-mp4g-v24j