DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-3520: CVE-2026-3520: Denial of Service via Uncontrolled Recursion in Multer

#security #cve #cybersecurity

CVE-2026-3520: Denial of Service via Uncontrolled Recursion in Multer

Vulnerability ID: CVE-2026-3520
CVSS Score: 8.7
Published: 2026-03-05

A high-severity Denial of Service (DoS) vulnerability exists in the Multer Node.js middleware (versions prior to 2.1.1). The flaw stems from uncontrolled synchronous recursion during file cleanup and error handling, allowing remote attackers to crash the Node.js process via crafted multipart requests containing excessive fields or files.

TL;DR

Multer < 2.1.1 is vulnerable to DoS. Attackers can trigger a stack overflow by sending multipart requests with thousands of files/fields, causing the application to crash due to recursive synchronous function calls.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-674
  • CVSS Score: 8.7 (High)
  • Attack Vector: Network
  • Impact: Denial of Service
  • Exploit Status: PoC Available
  • KEV Listed: No

Affected Systems

  • Node.js applications using expressjs/multer
  • multer: < 2.1.1 (Fixed in: 2.1.1)

Code Analysis

Commit: 7e66481

Fix: use setImmediate in removeUploadedFiles to avoid stack overflow

if (idx < length - 1) { setImmediate(function () { handleFile(idx + 1) }) }
Enter fullscreen mode Exit fullscreen mode

Commit: e86fa52

Fix: ensure error handling idempotency and stream unpiping

function onFinished(err) { if (called) return; called = true; ... }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Official advisory containing reproduction steps and PoC logic.

Mitigation Strategies

  • Limit request body size upstream (WAF/Reverse Proxy)
  • Restrict the maximum number of file parts in Multer configuration
  • Implement process monitoring and auto-restart capabilities

Remediation Steps:

  1. Identify projects using multer via npm list multer or yarn list multer.
  2. Update multer to version 2.1.1 or greater: npm install multer@latest.
  3. Verify the installed version: npm list multer should show 2.1.1.
  4. As a defense-in-depth measure, configure the limits option in Multer (e.g., { limits: { files: 10 } }) to reject requests with excessive parts before they trigger deep recursion.

References

Read the full report for CVE-2026-3520 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)