CVE-2026-5038 - Medium Severity Vulnerability
Vulnerable Library - multer-2.1.1.tgz
Middleware for handling `multipart/form-data`.
Library home page: https://registry.npmjs.org/multer/-/multer-2.1.1.tgz
Path to dependency file: /OPENAPI-REST-API/swagger-client/nodejs-server/package.json
Path to vulnerable library: /OPENAPI-REST-API/swagger-client/nodejs-server/node_modules/express-openapi-validator/node_modules/multer/package.json
Dependency Hierarchy:
- oas3-tools-2.2.3.tgz (Root Library)
- express-openapi-validator-4.13.9.tgz
- ❌ multer-2.1.1.tgz (Vulnerable Library)
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Vulnerability Details
Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to
the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.
Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.
Workarounds: None.
Publish Date: 2026-06-15
URL: CVE-2026-5038
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3p4h-7m6x-2hcm
Release Date: 2026-06-15
Fix Resolution: multer - 3.0.0-alpha.2,multer - 2.2.0,https://github.com/expressjs/multer.git - v2.2.0
Step up your Open Source Security Game with Mend here
CVE-2026-5038 - Medium Severity Vulnerability
Middleware for handling `multipart/form-data`.
Library home page: https://registry.npmjs.org/multer/-/multer-2.1.1.tgz
Path to dependency file: /OPENAPI-REST-API/swagger-client/nodejs-server/package.json
Path to vulnerable library: /OPENAPI-REST-API/swagger-client/nodejs-server/node_modules/express-openapi-validator/node_modules/multer/package.json
Dependency Hierarchy:
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Impact: multer versions 2.0.0-alpha.1 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the Readable.pipe() call does not propagate the stream destroy signal to
the underlying fs.WriteStream. An attacker can exhaust disk space by triggering many aborted uploads, with no application bug required.
Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease). Both versions track in-flight write streams and clean them up on the abort path.
Workarounds: None.
Publish Date: 2026-06-15
URL: CVE-2026-5038
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-3p4h-7m6x-2hcm
Release Date: 2026-06-15
Fix Resolution: multer - 3.0.0-alpha.2,multer - 2.2.0,https://github.com/expressjs/multer.git - v2.2.0
Step up your Open Source Security Game with Mend here