{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3520", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2026-03-04T15:27:42.237Z", "datePublished": "2026-03-04T16:17:18.962Z", "dateUpdated": "2026-03-04T17:12:25.815Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-04T16:17:18.962Z"}, "descriptions": [{"lang": "en", "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available."}]}], "affected": [{"vendor": "expressjs", "product": "multer", "defaultStatus": "unaffected", "versions": [{"versionType": "semver", "status": "affected", "version": "0", "lessThan": "2.1.1"}], "packageURL": "pkg:npm/multer"}], "references": [{"url": "https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-3520"}, {"url": "https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "credits": [{"lang": "en", "type": "reporter", "value": "Yuki Matsuhashi"}, {"lang": "en", "type": "remediation developer", "value": "Chris de Almeida"}, {"lang": "en", "type": "remediation reviewer", "value": "Ulises Gasc\u00f3n"}], "title": "Multer vulnerable to Denial of Service via uncontrolled recursion", "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "baseScore": 8.7, "baseSeverity": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-674", "lang": "en", "description": "CWE-674: Uncontrolled Recursion", "type": "CWE"}]}], "x_generator": {"engine": "cve-kit 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T17:12:05.396070Z", "id": "CVE-2026-3520", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T17:12:25.815Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3520", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T17:12:05.396070Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T17:12:17.326Z"}}], "cna": {"title": "Multer vulnerable to Denial of Service via uncontrolled recursion", "credits": [{"lang": "en", "type": "reporter", "value": "Yuki Matsuhashi"}, {"lang": "en", "type": "remediation developer", "value": "Chris de Almeida"}, {"lang": "en", "type": "remediation reviewer", "value": "Ulises Gasc\u00f3n"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "expressjs", "product": "multer", "versions": [{"status": "affected", "version": "0", "lessThan": "2.1.1", "versionType": "semver"}], "packageURL": "pkg:npm/multer", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-3520"}, {"url": "https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "x_generator": {"engine": "cve-kit 1.0.0"}, "descriptions": [{"lang": "en", "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.", "supportingMedia": [{"type": "text/html", "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-674", "description": "CWE-674: Uncontrolled Recursion"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2026-03-04T16:17:18.962Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3520", "state": "PUBLISHED", "dateUpdated": "2026-03-04T17:12:25.815Z", "dateReserved": "2026-03-04T15:27:42.237Z", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "datePublished": "2026-03-04T16:17:18.962Z", "assignerShortName": "openjs"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:expressjs:multer:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "51E55C80-BCCC-4313-85BF-8AD0B4E36182", "versionEndExcluding": "2.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available."}, {"lang": "es", "value": "Multer es un middleware de node.js para manejar 'multipart/form-data'. Una vulnerabilidad en Multer anterior a la versi\u00f3n 2.1.1 permite a un atacante activar una denegaci\u00f3n de servicio (DoS) enviando solicitudes malformadas, lo que podr\u00eda causar un desbordamiento de pila. Los usuarios deben actualizar a la versi\u00f3n 2.1.1 para recibir un parche. No se conocen soluciones alternativas disponibles."}], "id": "CVE-2026-3520", "lastModified": "2026-03-09T18:03:23.100", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2026-03-04T17:16:22.610", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Third Party Advisory"], "url": "https://cna.openjsf.org/security-advisories.html"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Patch"], "url": "https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Vendor Advisory"], "url": "https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-3520"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{"bugzilla": {"description": "multer: Multer: Denial of Service via malformed requests", "id": "2444584", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444584"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-3520", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Affected", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-03-04T16:17:18Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3520\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3520\nhttps://cna.openjsf.org/security-advisories.html\nhttps://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752\nhttps://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "multer", "source": "cna", "vendor": "expressjs"}, "product": "multer", "vendor": "expressjs"}], "analysis": {"en": {"generated_at": "2026-04-17T13:10:39.400184+00:00", "value": {"mitigation_remediation": ["Upgrade Multer to version 2.1.1 or later.", "Implement validation or preprocessing for multipart requests to reject malformed payloads before invoking Multer.", "Apply rate limiting or temporarily disable file\u2011upload endpoints until the patch is applied."], "summary": {"action": "Upgrade", "impact": "Denial of Service via stack overflow"}, "threat_synthesis": {"affected_systems": "The issue affects Express.js Multer before version 2.1.1 running on any Node.js environment. All installations that rely on a vulnerable version of this middleware are potentially impacted.", "description_and_impact": "A flaw in the Node.js middleware Multer allows an attacker to cause a stack overflow by sending specially crafted multipart/form\u2011data requests. The unchecked recursion in the parsing logic leads to an uncontrolled resource exhaustion that can hung the application process and render the service unavailable. The vulnerability is classified as a high\u2011severity Denial of Service.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a severe threat. The EPSS score is below 1\u202f%, suggesting that exploitation has not been observed in the wild, and the vulnerability is not listed in CISA\u2019s KEV catalog. An attacker could exploit the flaw remotely by delivering malformed multipart requests over HTTP, assuming the endpoint is exposed to the network. (Based on the description, it is inferred that the attack vector is HTTP.) No active exploits are reported and the attack likely requires sending many crafted packets to trigger the recursion."}}}}, "created": "2026-03-05T09:08:27.930245+00:00", "updated": "2026-04-17T13:15:19.684031+00:00", "vendors": ["expressjs", "expressjs$PRODUCT$multer"]}