DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-5038: CVE-2026-5038: Denial of Service via Incomplete File Cleanup in Multer diskStorage Engine

#security #cve #cybersecurity

CVE-2026-5038: Denial of Service via Incomplete File Cleanup in Multer diskStorage Engine

Vulnerability ID: CVE-2026-5038
CVSS Score: 5.3
Published: 2026-06-17

CVE-2026-5038 is a critical denial of service vulnerability in the Node.js Multer middleware. When utilizing the diskStorage engine, connection termination or validation failures leave partial files orphaned on the local filesystem due to stream-destruction signal propagation failures in Node's piping mechanism. Remote unauthenticated attackers can exploit this to fill server disks and induce system crashes.

TL;DR

Unauthenticated remote attackers can exhaust server disk space and cause Denial of Service by initiating and aborting file uploads in Multer's diskStorage engine, leaving un-tracked, orphaned temporary files on the disk.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-459 (Incomplete Cleanup)
  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • EPSS Score: 0.00278 (19.40th Percentile)
  • Exploit Status: Proof-of-Concept Available
  • CISA KEV Status: Not Listed
  • Impact Class: Denial of Service (DoS)

Affected Systems

  • Node.js web servers utilizing Multer with diskStorage configuration
  • multer: >= 2.0.0-alpha.1, < 2.2.0 (Fixed in: 2.2.0)
  • multer: >= 3.0.0-alpha.1, < 3.0.0-alpha.2 (Fixed in: 3.0.0-alpha.2)

Mitigation Strategies

  • Upgrade Multer dependencies to fixed versions
  • Apply directory-level disk partition quotas
  • Configure upstream request body restrictions
  • Establish routine filesystem purges for temporary paths

Remediation Steps:

  1. Analyze dependency tree to locate instances of Multer below version 2.2.0 or 3.0.0-alpha.2.
  2. Execute 'npm install multer@2.2.0' or update package configuration manifests accordingly.
  3. Re-configure NGINX upstream using the 'client_max_body_size' directive to restrict unvetted payload transfer sizes.
  4. Schedule system cron tasks to sweep and purge unlinked files inside the storage directory older than three hours.

Read the full report for CVE-2026-5038 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)