CVE-2026-3520
Received Received - Intake
Stack Overflow DoS in Multer Middleware Before

Publication date: 2026-03-04

Last updated on: 2026-03-09

Assigner: openjs

Description
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3520
EUVD
EUVD-2026-9423
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
expressjs multer to 2.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3520 is a vulnerability in the Multer npm package, a Node.js middleware used for handling multipart/form-data. The issue occurs in versions prior to 2.1.1 and is caused by uncontrolled recursion in the code when processing malformed requests. This uncontrolled recursion can lead to a stack overflow, resulting in a Denial of Service (DoS) condition.

Specifically, the vulnerability arises from a synchronous recursive function call in the removeUploadedFiles function, which can exceed the maximum call stack size when handling many files. The fix involved changing the recursion to an asynchronous call using setImmediate to prevent stack overflow.

Impact Analysis

This vulnerability can impact you by causing a Denial of Service (DoS) on applications using vulnerable versions of Multer. An attacker can send specially crafted malformed requests that trigger uncontrolled recursion, leading to stack overflow and crashing or disrupting the service.

The impact is limited to availability, meaning the service may become unavailable or unresponsive, but confidentiality and integrity of data are not affected.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from Multer versions prior to 2.1.1 when processing malformed multipart/form-data requests, causing uncontrolled recursion and potential stack overflow leading to Denial of Service (DoS). Detection involves monitoring for abnormal application crashes or service disruptions when handling multipart/form-data uploads.

Since the vulnerability is triggered by malformed requests causing stack overflow, you can attempt to detect it by sending crafted multipart/form-data requests to the affected service and observing if the service crashes or becomes unresponsive.

There are no specific detection commands provided in the available resources. However, general approaches include:

  • Using network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze multipart/form-data requests for anomalies.
  • Testing the application with malformed multipart/form-data payloads to see if it triggers a crash or stack overflow.
  • Checking application logs for errors related to stack overflow or crashes during file upload handling.

No specific commands or automated detection scripts are mentioned in the provided resources.

Mitigation Strategies

The primary and recommended mitigation step is to upgrade Multer to version 2.1.1 or later, where the vulnerability has been patched.

No known workarounds are available to mitigate this vulnerability without upgrading.

Upgrading ensures that the recursive call in the removeUploadedFiles function is deferred asynchronously, preventing stack overflow and Denial of Service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3520. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart