CVE-2026-2359
Published: 27 February 2026
Summary
CVE-2026-2359 is a high-severity Missing Release of Resource after Effective Lifetime (CWE-772) vulnerability in Expressjs Multer. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 42.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-2359 is a denial-of-service vulnerability in Multer, a Node.js middleware used for handling multipart/form-data, affecting versions prior to 2.1.0. The flaw, classified under CWE-772 (Failed to Release Resource), allows an attacker to trigger resource exhaustion by dropping a connection during a file upload process. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its impact on availability.
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. By initiating a file upload and abruptly terminating the connection, an attacker can cause Multer to fail in releasing resources, leading to potential exhaustion of server memory or other resources, thereby denying service to legitimate users.
Advisories recommend upgrading to Multer version 2.1.0, where the issue is patched, as detailed in the GitHub security advisory (GHSA-v52c-386h-88mc) and the specific commit (cccf0fe0e64150c4f42ccf6654165c0d66b9adab). No workarounds are available, and further details are provided in the OpenJSF security advisories and the official CVE record.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9032
Vulnerability details
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to…
more
version 2.1.0 to receive a patch. No known workarounds are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables Endpoint DoS via application exploitation by triggering resource exhaustion on connection drop during multipart uploads.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring timely remediation of the specific flaw in Multer through patching to version 2.1.0.
Provides denial-of-service protections such as rate limiting or connection throttling to mitigate resource exhaustion from dropped upload connections.
Enforces resource allocation limits and priorities to prevent exhaustion of memory or other resources triggered by the vulnerability.