EXECUTIVE SUMMARY:
CVE-2026-5079 with a CVSS score of 7.5 is a high‑severity denial‑of‑service flaw in the npm multer middleware for Node.js, affecting versions ≥ 1.0.0 < 2.2.0 and the pre‑release range ≥ 3.0.0‑alpha.1 < 3.0.0‑alpha.2. Multer relies on the append‑field dependency to parse multipart form field names that use bracket notation, but it imposes no limit on nesting depth, allowing an attacker to construct a single HTTP request with a multipart body whose field names are nested thousands of levels deep. This crafted request forces the parser to allocate deeply nested JavaScript objects, exhausting CPU cycles and memory without requiring authentication or elevated privileges; the only prerequisite is network access to an endpoint that processes file uploads with the vulnerable Multer version. Successful exploitation results in uncontrolled resource consumption that can crash the Node.js process or degrade performance, leading to service interruption, SLA violations, loss of revenue, and reputational harm for the affected organization. The attack vector is purely remote and requires no special conditions beyond the presence of the vulnerable library and an exposed upload route.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-5079 with a CVSS score of 7.5 is a high‑severity denial‑of‑service flaw in the npm multer middleware for Node.js, affecting versions ≥ 1.0.0 < 2.2.0 and the pre‑release range ≥ 3.0.0‑alpha.1 < 3.0.0‑alpha.2. Multer relies on the append‑field dependency to parse multipart form field names that use bracket notation, but it imposes no limit on nesting depth, allowing an attacker to construct a single HTTP request with a multipart body whose field names are nested thousands of levels deep. This crafted request forces the parser to allocate deeply nested JavaScript objects, exhausting CPU cycles and memory without requiring authentication or elevated privileges; the only prerequisite is network access to an endpoint that processes file uploads with the vulnerable Multer version. Successful exploitation results in uncontrolled resource consumption that can crash the Node.js process or degrade performance, leading to service interruption, SLA violations, loss of revenue, and reputational harm for the affected organization. The attack vector is purely remote and requires no special conditions beyond the presence of the vulnerable library and an exposed upload route.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-72gw-mp4g-v24j