Skip to main content

Multer CVE-2026-2359

HIGH
Missing Release of Resource after Effective Lifetime (CWE-772)
2026-02-27 ce714d77-add3-4f53-aff5-83d477b104bb GHSA-v52c-386h-88mc
8.7
CVSS 4.0 · Vendor: ce714d77-add3-4f53-aff5-83d477b104bb
Share

Severity by source

Vendor (ce714d77-add3-4f53-aff5-83d477b104bb) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote, unauthenticated, no-interaction abuse of any Multer upload endpoint (AV:N/AC:L/PR:N/UI:N) causing resource exhaustion with availability-only impact (A:H, C/I:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ce714d77-add3-4f53-aff5-83d477b104bb).

CVSS VectorVendor: ce714d77-add3-4f53-aff5-83d477b104bb

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 30, 2026 - 05:13 vuln.today
v2 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:10 vuln.today
v1 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 03:24 NVD
8.7 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Feb 27, 2026 - 16:16 nvd
N/A

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 npm packages depend on multer (5 direct, 3 indirect)

Ecosystem-wide dependent count for version 2.1.0.

DescriptionCVE.org

Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.

AnalysisAI

Denial of service in Multer (Express.js multipart/form-data middleware) before version 2.1.0 lets remote unauthenticated attackers exhaust server resources by abruptly dropping the connection mid file-upload, leaving allocated resources unreleased. The flaw maps to CWE-772 (missing release of resource) and carries a CVSS 4.0 base score of 8.7 driven entirely by availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Express app upload endpoint
Delivery
Open multipart/form-data upload requests
Exploit
Drop connections mid-upload
Execution
Leak unreleased per-request resources
Persist
Exhaust memory/file descriptors
Impact
Service denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses Multer (version below 2.1.0) to handle multipart/form-data file uploads and exposes at least one reachable upload endpoint; the attacker simply opens upload requests and terminates the connection before completion to leak resources. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent and point to a real but availability-only concern. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker repeatedly initiates multipart/form-data file uploads against a public Express.js endpoint that uses Multer and deliberately drops each connection mid-transfer, so the server never releases the per-upload resources. Sustained over many concurrent abandoned uploads, this exhausts memory or file descriptors and renders the service unresponsive. …
Remediation Vendor-released patch: Multer 2.1.0 - upgrade the multer dependency to 2.1.0 or later (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all Node.js services using Multer (check package.json dependencies for versions < 2.1.0); prioritize applications with public-facing upload functionality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2025-54782 CRITICAL POC
9.4 Aug 02

Nest is a framework for building scalable Node.js server-side applications. Rated critical severity (CVSS 9.4), this vul

CVE-2026-41679 CRITICAL POC
10.0 Apr 23

Remote unauthenticated attackers achieve full code execution on Paperclip AI orchestration servers (versions prior to 20

CVE-2026-21877 CRITICAL POC
9.9 Jan 08

n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with

CVE-2026-41264 CRITICAL POC
9.2 Apr 21

## Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. ## Vulnerabi

CVE-2026-21858 CRITICAL POC
10.0 Jan 08

n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2026-22686 CRITICAL POC
10.0 Jan 14

enclave-vm JavaScript sandbox (before 2.7.0) has a critical sandbox escape. When a tool invocation fails, a host-side Er

CVE-2026-42043 CRITICAL POC
10.0 Apr 24

NO_PROXY protection bypass in Axios HTTP client (versions 1.0.0-1.15.0 and ≤0.31.0) lets an attacker who controls a requ

CVE-2026-47668 CRITICAL POC
10.0 Jun 05

Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec

Share

CVE-2026-2359 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy