CVE-2026-3304
Received Received - Intake
Denial of Service in Multer Middleware via Malformed Requests

Publication date: 2026-02-27

Last updated on: 2026-03-19

Assigner: openjs

Description
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-27
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-02-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3304
EUVD
EUVD-2026-9033
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
expressjs multer to 2.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-459 The product does not properly "clean up" and remove temporary or supporting resources after they have been used.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Multer, a Node.js middleware used for handling multipart/form-data. In versions prior to 2.1.0, an attacker can send malformed requests that trigger a Denial of Service (DoS) condition by causing resource exhaustion.

To fix this issue, users should upgrade Multer to version 2.1.0 or later. There are no known workarounds available.

Impact Analysis

The vulnerability can lead to a Denial of Service (DoS) attack, where an attacker sends malformed requests that exhaust system resources. This can cause the affected application or service using Multer to become unresponsive or crash, disrupting normal operations.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, users should upgrade Multer to version 2.1.0 or later, as this version contains the patch for the Denial of Service issue caused by malformed requests.

No known workarounds are available, so upgrading is the primary and immediate step to protect your system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3304. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart