Cyber Posture

CVE-2026-2359

High

Published: 27 February 2026

Published
27 February 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 5.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2359 is a high-severity Missing Release of Resource after Effective Lifetime (CWE-772) vulnerability in Expressjs Multer. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-10 Network Disconnect
addresses: CWE-772

Ensures network resources are released once the session ends or becomes inactive, closing the window for missing-release weaknesses.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Directly enables Endpoint DoS via application exploitation by triggering resource exhaustion on connection drop during multipart uploads.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to…

more

version 2.1.0 to receive a patch. No known workarounds are available.

Deeper analysisAI

CVE-2026-2359 is a denial-of-service vulnerability in Multer, a Node.js middleware used for handling multipart/form-data, affecting versions prior to 2.1.0. The flaw, classified under CWE-772 (Failed to Release Resource), allows an attacker to trigger resource exhaustion by dropping a connection during a file upload process. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its impact on availability.

The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. By initiating a file upload and abruptly terminating the connection, an attacker can cause Multer to fail in releasing resources, leading to potential exhaustion of server memory or other resources, thereby denying service to legitimate users.

Advisories recommend upgrading to Multer version 2.1.0, where the issue is patched, as detailed in the GitHub security advisory (GHSA-v52c-386h-88mc) and the specific commit (cccf0fe0e64150c4f42ccf6654165c0d66b9adab). No workarounds are available, and further details are provided in the OpenJSF security advisories and the official CVE record.

Details

CWE(s)
CWE-772

Affected Products

expressjs
multer
≤ 2.1.0

CVEs Like This One

CVE-2026-3304Same product: Expressjs Multer
CVE-2026-3520Same product: Expressjs Multer
CVE-2025-30256Shared CWE-772
CVE-2025-22891Shared CWE-772
CVE-2025-24120Shared CWE-772
CVE-2026-3104Shared CWE-772
CVE-2026-20082Shared CWE-772
CVE-2026-2261Shared CWE-772
CVE-2025-27421Shared CWE-772

References