Multer vulnerable to Denial of Service via deeply nested field names
- When
- Where
- Global (internet)
- Category
- cyber_advisory · npm
### Impact Multer is vulnerable to a Denial of Service (DoS) via deeply nested field names in multipart form data. The `append-field` dependency parses bracket notation in field names (e.g., `a[b][c]`) with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this. ### Patches Users should upgrade to `2.2.0` and configure `limits.fieldNestingDepth` to the minimum depth their application requires. ### Workarounds Set `limits.fields` to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact.
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-17 18:12 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.