High severityNVD Advisory· Published Feb 27, 2026· Updated Feb 27, 2026

Multer vulnerable to Denial of Service via incomplete cleanup

CVE-2026-3304

Description

Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multer prior to version 2.1.0 is vulnerable to Denial of Service via malformed multipart requests, leading to resource exhaustion; users should upgrade to 2.1.0.

Vulnerability

Overview

Multer, a Node.js middleware for handling multipart/form-data [1], contains a vulnerability in versions prior to 2.1.0 that allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests. The root cause is incomplete cleanup of resources when processing specially crafted multipart payloads, leading to resource exhaustion [3][4].

Exploitation

An attacker can exploit this vulnerability by sending a malformed HTTP request with a multipart/form-data content type to any endpoint using Multer. No authentication or special privileges are required; the attack can be carried out remotely over the network. The malformed request causes Multer to fail to properly release allocated resources, gradually consuming server memory or other resources until the service becomes unresponsive [3].

Impact

Successful exploitation results in a Denial of Service condition, where the affected server may become unable to process legitimate requests due to resource exhaustion. This can lead to service downtime and potential cascading failures in applications relying on Multer for file uploads [4].

Mitigation

The vulnerability is patched in Multer version 2.1.0. Users are advised to upgrade immediately. No known workarounds exist for this issue [3][4].

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
multernpm	< 2.1.0	2.1.0

Affected products

Expressjs/Multerllm-fuzzy
Range: <2.1.0
expressjs/multerv5
Range: 0.0.0

Patches

739919097dde

🔒 fix orphaned files issue

https://github.com/expressjs/multerctcpipFeb 26, 2026via ghsa

commit

2 files changed · +81 −0

lib/make-middleware.js+5 −0 modified

@@ -153,6 +153,11 @@ function makeMiddleware (setup) {
       var placeholder = appender.insertPlaceholder(file)
 
       fileFilter(req, file, function (err, includeFile) {
+        if (errorOccured) {
+          appender.removePlaceholder(placeholder)
+          return fileStream.resume()
+        }
+
         if (err) {
           appender.removePlaceholder(placeholder)
           return abortWithError(err)

test/async-file-filter-orphan.js+76 −0 added

@@ -0,0 +1,76 @@
+/* eslint-env mocha */
+
+var assert = require('assert')
+var fs = require('fs')
+var os = require('os')
+var path = require('path')
+var http = require('http')
+
+var express = require('express')
+var multer = require('../')
+
+describe('async fileFilter cleanup', function () {
+  it('does not leave orphan files when request aborts with missing field name', function (done) {
+    var uploadDir = fs.mkdtempSync(path.join(os.tmpdir(), 'multer-orphan-'))
+    var app = express()
+
+    var upload = multer({
+      dest: uploadDir,
+      fileFilter: function (req, file, cb) {
+        setImmediate(function () { cb(null, true) })
+      }
+    })
+
+    app.post('/upload', upload.any(), function (req, res) {
+      res.json({ success: true })
+    })
+
+    app.use(function (err, req, res, next) {
+      res.status(400).json({ error: err.code })
+    })
+
+    var server = app.listen(0, function () {
+      var port = server.address().port
+      var boundary = 'TestBound'
+      var body =
+        '--' + boundary + '\r\n' +
+        'Content-Disposition: form-data; name="f"; filename="a.bin"\r\n' +
+        'Content-Type: application/octet-stream\r\n\r\nORPHAN FILE DATA\r\n' +
+        '--' + boundary + '\r\n' +
+        'Content-Disposition: form-data; filename="b.bin"\r\n' +
+        'Content-Type: application/octet-stream\r\n\r\nx\r\n' +
+        '--' + boundary + '--\r\n'
+
+      var req = http.request({
+        hostname: 'localhost',
+        port: port,
+        path: '/upload',
+        method: 'POST',
+        headers: {
+          'Content-Type': 'multipart/form-data; boundary=' + boundary,
+          'Content-Length': Buffer.byteLength(body)
+        }
+      }, function (res) {
+        res.resume()
+        res.on('end', function () {
+          setTimeout(function () {
+            var files = fs.readdirSync(uploadDir)
+            assert.strictEqual(res.statusCode, 400)
+            assert.strictEqual(files.length, 0)
+            server.close(done)
+          }, 500)
+        })
+      })
+
+      req.on('error', function (err) {
+        server.close(function () {
+          done(err)
+        })
+      })
+
+      req.write(body)
+      req.end()
+    })
+  })
+}
+)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-xf7r-hgr6-v32pghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-3304ghsaADVISORY
cna.openjsf.org/security-advisories.htmlghsaWEB
github.com/expressjs/multer/commit/739919097dde3921ec31b930e4b9025036fa74eeghsaWEB
github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32pghsaWEB
www.cve.org/CVERecordghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000