CVE-2026-3520
Stack Overflow DoS in Multer Middleware Before
Publication date: 2026-03-04
Last updated on: 2026-03-09
Assigner: openjs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| expressjs | multer | to 2.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3520 is a vulnerability in the Multer npm package, a Node.js middleware used for handling multipart/form-data. The issue occurs in versions prior to 2.1.1 and is caused by uncontrolled recursion in the code when processing malformed requests. This uncontrolled recursion can lead to a stack overflow, resulting in a Denial of Service (DoS) condition.
Specifically, the vulnerability arises from a synchronous recursive function call in the removeUploadedFiles function, which can exceed the maximum call stack size when handling many files. The fix involved changing the recursion to an asynchronous call using setImmediate to prevent stack overflow.
How can this vulnerability impact me? :
This vulnerability can impact you by causing a Denial of Service (DoS) on applications using vulnerable versions of Multer. An attacker can send specially crafted malformed requests that trigger uncontrolled recursion, leading to stack overflow and crashing or disrupting the service.
The impact is limited to availability, meaning the service may become unavailable or unresponsive, but confidentiality and integrity of data are not affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from Multer versions prior to 2.1.1 when processing malformed multipart/form-data requests, causing uncontrolled recursion and potential stack overflow leading to Denial of Service (DoS). Detection involves monitoring for abnormal application crashes or service disruptions when handling multipart/form-data uploads.
Since the vulnerability is triggered by malformed requests causing stack overflow, you can attempt to detect it by sending crafted multipart/form-data requests to the affected service and observing if the service crashes or becomes unresponsive.
There are no specific detection commands provided in the available resources. However, general approaches include:
- Using network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze multipart/form-data requests for anomalies.
- Testing the application with malformed multipart/form-data payloads to see if it triggers a crash or stack overflow.
- Checking application logs for errors related to stack overflow or crashes during file upload handling.
No specific commands or automated detection scripts are mentioned in the provided resources.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade Multer to version 2.1.1 or later, where the vulnerability has been patched.
No known workarounds are available to mitigate this vulnerability without upgrading.
Upgrading ensures that the recursive call in the removeUploadedFiles function is deferred asynchronously, preventing stack overflow and Denial of Service.