HomeCVE Intelligence › CVE-2026-5079
CVSS 7.5 HIGH Vulnerability

CVE-2026-5079: Multer vulnerable to Denial of Service via deeply nested field names

Impact Multer is vulnerable to a Denial of Service (DoS) via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names (e.g., a[b][c]) with no limit on nesting…

7.5CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-5079
Vendornpm
Affected Productmulter
Vulnerability TypeVulnerability
CVSS Score7.5 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Impact Multer is vulnerable to a Denial of Service (DoS) via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names (e.g., a[b][c]) with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.

Patches Users should upgrade to 2.2.0 and configure limits.fieldNestingDepth to the minimum depth their application requires.

Workarounds Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-5079 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence