CVE-2026-5079
Multer vulnerable to Denial of Service via deeply nested field names
描述
### Impact Multer is vulnerable to a Denial of Service (DoS) via deeply nested field names in multipart form data. The `append-field` dependency parses bracket notation in field names (e.g., `a[b][c]`) with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this. ### Patches Users should upgrade to `2.2.0` and configure `limits.fieldNestingDepth` to the minimum depth their application requires. ### Workarounds Set `limits.fields` to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.
如何修補 CVE-2026-5079
要修補 CVE-2026-5079,請將受影響套件升級到下列已修補版本。
- —升級至 2.2.0 或更新版本
CVE-2026-5079 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-5079 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- >= 1.0.0, < 2.2.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |