Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch.
No known workarounds are available.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
High
Complete denial of service
CVSS Vector v4.0
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Expressjs Multer
cpe:2.3:a:expressjs:multer:*:*:*:*:*:node.js:*:*
|
— |
2.1.0
|
References 4
https://cna.openjsf.org/security-advisories.html
ce714d77-add3-4f53-aff5-83d477b104bb
https://github.com/expressjs/multer/commit/739919097dde3921ec31b930e4b9025036fa…
ce714d77-add3-4f53-aff5-83d477b104bb
https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p
ce714d77-add3-4f53-aff5-83d477b104bb
https://www.cve.org/CVERecord?id=CVE-2026-3304
ce714d77-add3-4f53-aff5-83d477b104bb