DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-3304: Denial of Service via Incomplete File Cleanup in Multer Middleware

#security #cve #cybersecurity

Denial of Service via Incomplete File Cleanup in Multer Middleware

Vulnerability ID: CVE-2026-3304
CVSS Score: 8.7
Published: 2026-03-01

A critical resource exhaustion vulnerability exists in the Multer Node.js middleware versions prior to 2.1.0. The issue arises from a race condition between asynchronous file filtering and stream error handling. When a request triggers an error during the processing of a multipart stream, files that were pending validation in an asynchronous fileFilter are not properly cleaned up from the disk. This allows remote attackers to exhaust the server's storage capacity by repeatedly sending crafted requests, leading to a Denial of Service (DoS).

TL;DR

Multer < 2.1.0 fails to delete temporary files if a request errors out while an asynchronous file filter is running. Attackers can flood the server with requests that trigger this condition, filling the disk and crashing the application.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-459
  • Vulnerability Type: Resource Exhaustion (DoS)
  • CVSS 4.0: 8.7 (High)
  • Attack Vector: Network
  • Affected Component: make-middleware.js
  • Prerequisites: Asynchronous fileFilter configuration

Affected Systems

  • Node.js applications using Multer < 2.1.0
  • Express.js applications using Multer < 2.1.0
  • multer: < 2.1.0 (Fixed in: 2.1.0)

Code Analysis

Commit: 7399190

fix: cleanup file when error occured during fileFilter

@@ -155,6 +155,11 @@
       fileFilter(req, file, function (err, includeFile) {
+        if (errorOccured) {
+          appender.removePlaceholder(placeholder)
+          return fileStream.resume()
+        }
+
         if (err) {
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Multer to version 2.1.0 or later immediately.
  • Implement request size limits at the reverse proxy level (e.g., Nginx client_max_body_size) to slow down potential exhaustion attacks, though this does not fix the root cause.
  • Monitor disk usage on partitions hosting temporary directories and alert on rapid increases.

Remediation Steps:

  1. Identify all projects using multer via npm list multer or yarn list multer.
  2. Update the package version in package.json to ^2.1.0.
  3. Run npm install or yarn install to apply the patch.
  4. Restart the Node.js application service.
  5. Verify the fix by checking node_modules/multer/lib/make-middleware.js for the if (errorOccured) check in the fileFilter callback.

References

Read the full report for CVE-2026-3304 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)