Description
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.
Published: 2026-03-04
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via stack overflow
Action: Upgrade
AI Analysis

Impact

A flaw in the Node.js middleware Multer allows an attacker to cause a stack overflow by sending specially crafted multipart/form‑data requests. The unchecked recursion in the parsing logic leads to an uncontrolled resource exhaustion that can hung the application process and render the service unavailable. The vulnerability is classified as a high‑severity Denial of Service.

Affected Systems

The issue affects Express.js Multer before version 2.1.1 running on any Node.js environment. All installations that rely on a vulnerable version of this middleware are potentially impacted.

Risk and Exploitability

The CVSS score of 8.7 indicates a severe threat. The EPSS score is below 1 %, suggesting that exploitation has not been observed in the wild, and the vulnerability is not listed in CISA’s KEV catalog. An attacker could exploit the flaw remotely by delivering malformed multipart requests over HTTP, assuming the endpoint is exposed to the network. (Based on the description, it is inferred that the attack vector is HTTP.) No active exploits are reported and the attack likely requires sending many crafted packets to trigger the recursion.

Generated by OpenCVE AI on April 17, 2026 at 13:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Multer to version 2.1.1 or later.
  • Implement validation or preprocessing for multipart requests to reject malformed payloads before invoking Multer.
  • Apply rate limiting or temporarily disable file‑upload endpoints until the patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 13:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5528-5vmv-3xc2 Multer Vulnerable to Denial of Service via Uncontrolled Recursion
History

Mon, 09 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:expressjs:multer:*:*:*:*:*:node.js:*:*

Thu, 05 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Expressjs
Expressjs multer
Vendors & Products Expressjs
Expressjs multer

Wed, 04 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.
Title Multer vulnerable to Denial of Service via uncontrolled recursion
Weaknesses CWE-674
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Expressjs Multer
cve-icon MITRE

Status: PUBLISHED

Assigner: openjs

Published:

Updated: 2026-03-04T17:12:25.815Z

Reserved: 2026-03-04T15:27:42.237Z

Link: CVE-2026-3520

cve-icon Vulnrichment

Updated: 2026-03-04T17:12:17.326Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T17:16:22.610

Modified: 2026-03-09T18:03:23.100

Link: CVE-2026-3520

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-04T16:17:18Z

Links: CVE-2026-3520 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses