Multer
CVE-2026-2359
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote, unauthenticated, no-interaction abuse of any Multer upload endpoint (AV:N/AC:L/PR:N/UI:N) causing resource exhaustion with availability-only impact (A:H, C/I:N).
Primary rating from Vendor (ce714d77-add3-4f53-aff5-83d477b104bb).
CVSS VectorVendor: ce714d77-add3-4f53-aff5-83d477b104bb
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7Blast Radius
ecosystem impact- 8 npm packages depend on multer (5 direct, 3 indirect)
Ecosystem-wide dependent count for version 2.1.0.
DescriptionCVE.org
Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.
AnalysisAI
Denial of service in Multer (Express.js multipart/form-data middleware) before version 2.1.0 lets remote unauthenticated attackers exhaust server resources by abruptly dropping the connection mid file-upload, leaving allocated resources unreleased. The flaw maps to CWE-772 (missing release of resource) and carries a CVSS 4.0 base score of 8.7 driven entirely by availability impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses Multer (version below 2.1.0) to handle multipart/form-data file uploads and exposes at least one reachable upload endpoint; the attacker simply opens upload requests and terminates the connection before completion to leak resources. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent and point to a real but availability-only concern. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker repeatedly initiates multipart/form-data file uploads against a public Express.js endpoint that uses Multer and deliberately drops each connection mid-transfer, so the server never releases the per-upload resources. Sustained over many concurrent abandoned uploads, this exhausts memory or file descriptors and renders the service unresponsive. … |
| Remediation | Vendor-released patch: Multer 2.1.0 - upgrade the multer dependency to 2.1.0 or later (e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all Node.js services using Multer (check package.json dependencies for versions < 2.1.0); prioritize applications with public-facing upload functionality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Nest is a framework for building scalable Node.js server-side applications. Rated critical severity (CVSS 9.4), this vul
Remote unauthenticated attackers achieve full code execution on Paperclip AI orchestration servers (versions prior to 20
n8n workflow automation (through 1.121.2) allows authenticated users to execute arbitrary code via the n8n service, with
## Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. ## Vulnerabi
n8n workflow automation (1.65.0 to 1.121.0) allows unauthenticated file access through form-based workflows. A critical
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
enclave-vm JavaScript sandbox (before 2.7.0) has a critical sandbox escape. When a tool invocation fails, a host-side Er
NO_PROXY protection bypass in Axios HTTP client (versions 1.0.0-1.15.0 and ≤0.31.0) lets an attacker who controls a requ
Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-v52c-386h-88mc