Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads

When

2026-06-17 18:11 UTC

Where

Global (internet)

Category

cyber_advisory · npm

### Impact A vulnerability in Multer allows an attacker to trigger a Denial of Service (DoS) by aborting or sending malformed multipart uploads, causing orphaned partial files to accumulate on disk when using diskStorage. ### Patches Users should upgrade to `2.2.0`, `3.0.0-alpha.2` or higher ### Workarounds None

Sources

• GitHub Advisory Database ↗ · first seen 2026-06-17 18:11 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

• Multer vulnerable to Denial of Service via deeply nested field names
  Shared actorsInvolves npm/multer, npm/multer· 89% match

← Back to the live map