ZeroPath at Black Hat USA 2026

Multer CVE-2026-5079: Brief Summary of a Single Request DoS via Deeply Nested Field Names

A short review of CVE-2026-5079, a high severity Denial of Service vulnerability in the multer Node.js middleware caused by unbounded nesting depth in multipart form field name parsing. Affected versions span 1.0.0 through 2.1.1 and 3.0.0-alpha.1.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-15

Multer CVE-2026-5079: Brief Summary of a Single Request DoS via Deeply Nested Field Names
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single HTTP request containing a carefully crafted multipart form field name can bring down a Node.js server running multer, the most widely used middleware for handling file uploads in the Express.js ecosystem. CVE-2026-5079, scored at CVSS 7.5 (High), affects every multer deployment from version 1.0.0 through 2.1.1, which translates to a blast radius spanning 17.5 million weekly npm downloads and over 6,400 dependent packages.

The vulnerability originates not in multer itself but in its transitive dependency append-field, which implements W3C HTML JSON forms bracket notation parsing with no upper bound on nesting depth. This is the seventh DoS vulnerability disclosed in multer since mid 2025, a pattern that warrants attention from any team running Node.js services that accept multipart form data.

Technical Information

Vulnerability Classification

CVE-2026-5079 falls under CWE-400: Uncontrolled Resource Consumption. The CVSS v3 vector reflects a network accessible attack with low complexity, requiring no privileges or user interaction, producing high impact on availability with no effect on confidentiality or integrity.

The Role of append-field

Multer is built on top of the Busboy streaming parser for maximum efficiency when handling multipart/form-data requests. When Busboy emits parsed field events, multer uses the append-field package to construct a JavaScript object from the field names. The append-field package is described as a "W3C HTML JSON forms spec compliant field appender" and implements bracket notation parsing. For example, a field named user[address][city] is transformed into the nested object { user: { address: { city: "value" } } }.

The critical design flaw is that append-field places no limit on nesting depth. It will faithfully attempt to construct an object tree of arbitrary depth based on whatever bracket notation it receives.

Attack Flow

The exploitation path is straightforward and requires no special tooling:

  1. The attacker constructs an HTTP POST request with Content-Type: multipart/form-data.
  2. Within the multipart body, the attacker includes one or more field names containing extremely deep bracket notation nesting, for example a[b][c][d]...[z] repeated hundreds or thousands of times.
  3. The target server receives the request and Busboy begins parsing the multipart stream, emitting field events as it encounters each part.
  4. Multer receives the field events and delegates to append-field to construct the corresponding JavaScript object.
  5. append-field recursively creates nested objects matching the full depth of the bracket notation. This recursive allocation consumes significant CPU cycles and memory.
  6. With sufficient nesting depth, the server's event loop is blocked and memory is exhausted, resulting in denial of service.

The key properties that make this vulnerability particularly concerning:

  • Single request exploitation: One crafted HTTP POST is sufficient. There is no need for sustained traffic or amplification.
  • No authentication required: Any client that can reach a multer handled endpoint can trigger the vulnerability.
  • No application specific knowledge needed: The attacker does not need to know anything about the target application's field schema or internal structure.

Root Cause: Unbounded Recursion in a Transitive Dependency

This vulnerability highlights a recurring challenge in the Node.js ecosystem: security critical behavior buried in transitive dependencies. The append-field package is not something most developers consciously choose or configure. It is pulled in automatically as a dependency of multer, and its behavior (unbounded recursive object construction) is invisible to application developers until it becomes an attack vector.

The fix in multer 2.2.0 and 3.0.0-alpha.2 introduces a new limits.fieldNestingDepth configuration option that caps how deep the bracket notation parsing will go. This moves the enforcement boundary into multer itself rather than relying on append-field to self limit.

Affected Systems and Versions

Version RangeStatus
multer 1.0.0 through 2.1.1Vulnerable
multer 3.0.0-alpha.1Vulnerable
multer 2.2.0 and later (2.x line)Patched
multer 3.0.0-alpha.2 and later (3.x prerelease)Patched

The vulnerability spans the entire production history of multer from its 1.0.0 release onward. Any Node.js application using multer to handle multipart form uploads is affected unless it has been upgraded to one of the patched versions.

The partial workaround of setting limits.fields to a low value can reduce exposure but does not fully mitigate the issue, because even a single deeply nested field name can trigger significant resource consumption.

Organizations should also audit their dependency trees for indirect usage of multer. With 6,473 dependent packages on npm, multer may be present in applications through frameworks, boilerplate generators, or other middleware libraries that bundle it.

Vendor Security History

Multer's security track record over the past year reveals a pattern of recurring DoS vulnerabilities, each exploiting a different weakness in multipart handling:

CVECVSSRoot CausePatched In
CVE-2025-47935HighMemory leak via malformed multipart requests2.0.0
CVE-2025-47944HighImproper stream handling2.0.0
CVE-2025-7338HighUnhandled Busboy error events crash Node.js process2.0.2
CVE-2026-2359N/ADoS via dropped connection during file upload2.1.0
CVE-2026-33048.7Incomplete cleanup of resources (orphaned memory/file descriptors)2.1.0
CVE-2026-3520N/ADoS via malformed requests causing stack overflow2.1.1
CVE-2026-50797.5Uncontrolled nesting depth in append-field2.2.0

The OpenJS Foundation, which hosts multer and Express.js, became a CVE Numbering Authority in June 2025 and has been responsive in issuing patches and coordinated disclosures. The advisory for CVE-2026-5079 was published by UlisesGascon, a contributor to the expressjs organization's security efforts.

However, the diversity of root causes across these seven CVEs (unhandled exceptions, memory leaks, incomplete cleanup, unbounded recursion) suggests that multipart/form-data parsing presents inherent complexity that individual fixes cannot fully address. Teams relying on multer should plan for ongoing patching cycles and implement defense in depth measures at the infrastructure layer: rate limiting multipart POST requests at the reverse proxy, enforcing maximum request body sizes, and monitoring for anomalous field name patterns.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization