Security Advisory - Published 2026-06-15 - Node.js Upload Middleware

multer CVE-2026-5079: check upload endpoints for nested-field DoS exposure

OpenJS lists CVE-2026-5079 as a multer denial-of-service issue involving deeply nested multipart field names. Any Node.js application that accepts public file uploads should check dependency versions, upload limits, worker memory, and recent upload errors.

Defensive scope: this page covers owned applications and approved client environments. It does not publish malformed request samples or reproduction payloads.

Where this matters

  • Express, NestJS, Fastify-adjacent, or custom Node.js applications using multer for `multipart/form-data`.
  • Avatar, profile, resume, attachment, product image, ticket, support, or admin upload routes.
  • Serverless handlers where a single expensive parse can consume memory or execution time.
  • Background workers that parse uploaded forms before authentication or before strict size checks.

Dependency check

npm ls multer
npm audit --omit=dev
pnpm why multer
yarn why multer
rg -n "multer\\(|from 'multer'|require\\('multer'\\)" .

Pinning matters. Look at the lockfile actually deployed to production, not just `package.json`. Framework adapters can bring multer indirectly, so check both direct and transitive dependencies.

Endpoint hardening

  • Require authentication before expensive upload parsing when the product allows it.
  • Set strict file size, field count, file count, and request body limits.
  • Apply route-level rate limits on upload paths, separate from normal page traffic.
  • Reject unsupported content types before passing the request to upload middleware.
  • Move CPU and memory-heavy processing into isolated workers with timeouts.
  • Alert on upload-route 4xx/5xx spikes, Node.js heap pressure, worker restarts, and request timeouts.

Log review

rg -n "multer|multipart|upload|PayloadTooLarge|LIMIT_|heap out of memory|ENOMEM|request entity too large" logs/ .
rg -n "POST .*upload|POST .*attachment|POST .*avatar|POST .*file" logs/ .

A clean review shows normal upload volume, no repeated multipart parser errors from a small set of addresses, no memory-driven restarts, and no crash loop around upload endpoints after disclosure.

Repair help

Use Ping7 CVE Repair when upload routes crash the service, the dependency tree is unclear, or production logs show memory pressure you cannot connect to normal traffic. Ping7 can review the deployed lockfile, upload middleware, request limits, and incident logs for owned applications.

References