High severityNVD Advisory· Published Mar 4, 2026· Updated Mar 4, 2026

Multer vulnerable to Denial of Service via uncontrolled recursion

CVE-2026-3520

Description

Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multer prior to 2.1.1 is vulnerable to Denial of Service via malformed requests causing uncontrolled recursion and stack overflow.

Vulnerability

CVE-2026-3520 is a Denial of Service (DoS) vulnerability in Multer, a Node.js middleware for handling multipart/form-data requests. The vulnerability exists in versions prior to 2.1.1 and allows an attacker to cause uncontrolled recursion when processing specially crafted requests, leading to a stack overflow [1][3][4].

Exploitation

The attack is triggered by sending malformed multipart requests to a server using an affected version of Multer. The official advisory indicates the attack vector is network-based, requires no special privileges, and does not require user interaction [3]. This means any remote attacker who can reach the application can exploit the vulnerability without authentication.

Impact

Successful exploitation results in a Denial of Service condition, causing the Node.js process to crash due to stack overflow. This disrupts service availability for legitimate users. No data confidentiality or integrity impact is reported, as the vulnerability is purely a DoS [3][4].

Mitigation

The fix is included in Multer version 2.1.1. Users should upgrade to this version or later. No known workarounds exist [1][4]. The vulnerability was published on 2026-03-04, and the patch is available [4].

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
multernpm	< 2.1.1	2.1.1

Affected products

Expressjs/Multerllm-fuzzy
Range: <2.1.1
expressjs/multerv5
Range: 0

Patches

7e66481f8b2e

🐛 fix recursion issue

https://github.com/expressjs/multerctcpipMar 4, 2026via ghsa

commit

2 files changed · +29 −1

lib/remove-uploaded-files.js+1 −1 modified

@@ -15,7 +15,7 @@ function removeUploadedFiles (uploadedFiles, remove, cb) {
       }
 
       if (idx < length - 1) {
-        handleFile(idx + 1)
+        setImmediate(function () { handleFile(idx + 1) })
       } else {
         cb(null, errors)
       }

test/error-handling.js+28 −0 modified

@@ -5,6 +5,7 @@ var assert = require('assert')
 var os = require('os')
 var util = require('./_util')
 var multer = require('../')
+var removeUploadedFiles = require('../lib/remove-uploaded-files')
 var stream = require('stream')
 var FormData = require('form-data')
 var http = require('http')
@@ -431,4 +432,31 @@ describe('Error Handling', function () {
       sock.on('error', function () {})
     })
   })
+
+  it('should not overflow call stack when cleaning up many files (memory storage sync remove)', function (done) {
+    // - without setImmediate in remove-uploaded-files, synchronous _removeFile (e.g. memory storage)
+    //     causes handleFile(0) -> remove -> cb() -> handleFile(1) -> ... in one stack,
+    //     leading to "Maximum call stack size exceeded"
+    // - use enough files to exceed typical node stack depth (~10k - 30k)
+
+    this.timeout(10 * 1000)
+
+    var fileCount = 25000
+    var uploadedFiles = []
+
+    for (var i = 0; i < fileCount; i++) {
+      uploadedFiles.push({ fieldname: 'file', originalname: 'f.dat', buffer: Buffer.alloc(0) })
+    }
+
+    function syncRemove (file, cb) {
+      delete file.buffer
+      cb(null)
+    }
+
+    removeUploadedFiles(uploadedFiles, syncRemove, function (err, errors) {
+      assert.ifError(err)
+      assert.strictEqual(errors.length, 0)
+      done()
+    })
+  })
 })

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5528-5vmv-3xc2ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-3520ghsaADVISORY
cna.openjsf.org/security-advisories.htmlghsaWEB
github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752ghsaWEB
github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2ghsaWEB
www.cve.org/CVERecordghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000