Multer vulnerable to Denial of Service via uncontrolled recursion
Summary
| CVE | CVE-2026-3520 |
|---|---|
| State | PUBLISHED |
| Assigner | openjs |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-04 17:16:22 UTC |
| Updated | 2026-06-30 03:19:13 UTC |
| Description | Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available. |
Risk And Classification
Primary CVSS: v4.0 8.7 HIGH from ce714d77-add3-4f53-aff5-83d477b104bb
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.007130000 probability, percentile 0.491040000 (date 2026-07-02)
Problem Types: CWE-674 | CWE-770 | CWE-674 CWE-674: Uncontrolled Recursion | CWE-770 Allocation of Resources Without Limits or Throttling
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | ce714d77-add3-4f53-aff5-83d477b104bb | Secondary | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 8.7 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Primary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Expressjs | Multer | affected 2.1.1 semver | Not specified |
| ADP | Red Hat | Red Hat Developer Hub 1.8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Developer Hub 1.9 | Not specified | Not specified |
| ADP | Red Hat | Self-service Automation Portal 2 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| cna.openjsf.org/security-advisories.html | ce714d77-add3-4f53-aff5-83d477b104bb | cna.openjsf.org | Third Party Advisory |
| github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2 | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | Vendor Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-3520.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6802 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6174 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-3520 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752 | ce714d77-add3-4f53-aff5-83d477b104bb | github.com | Patch |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| www.cve.org/CVERecord | ce714d77-add3-4f53-aff5-83d477b104bb | www.cve.org | Third Party Advisory |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Yuki Matsuhashi (en)
CNA: Chris de Almeida (en)
CNA: Ulises Gascón (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-04T17:01:43.432Z | Reported to Red Hat. |
| ADP | 2026-03-04T16:17:18.962Z | Made public. |
Solutions
ADP: RHSA-2026:6174: Red Hat Developer Hub 1.8
ADP: RHSA-2026:6802: Red Hat Developer Hub 1.9
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.