CVE-2026-3304 PUBLISHED

Multer vulnerable to Denial of Service via incomplete cleanup

Assigner: openjs
Reserved: 26.02.2026 Published: 27.02.2026 Updated: 27.02.2026

Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor expressjs
Product multer
Versions Default: unaffected
  • affected from 0.0.0 to 2.1.0 (excl.)

References

Problem Types

  • CWE-459 CWE