Cyber Resilience

CVE-2026-2359

HighUpdated

Published: 27 February 2026

Published
27 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0056 42.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-2359 is a high-severity Missing Release of Resource after Effective Lifetime (CWE-772) vulnerability in Expressjs Multer. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 42.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-2359 is a denial-of-service vulnerability in Multer, a Node.js middleware used for handling multipart/form-data, affecting versions prior to 2.1.0. The flaw, classified under CWE-772 (Failed to Release Resource), allows an attacker to trigger resource exhaustion by dropping a connection during a file upload process. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its impact on availability.

The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. By initiating a file upload and abruptly terminating the connection, an attacker can cause Multer to fail in releasing resources, leading to potential exhaustion of server memory or other resources, thereby denying service to legitimate users.

Advisories recommend upgrading to Multer version 2.1.0, where the issue is patched, as detailed in the GitHub security advisory (GHSA-v52c-386h-88mc) and the specific commit (cccf0fe0e64150c4f42ccf6654165c0d66b9adab). No workarounds are available, and further details are provided in the OpenJSF security advisories and the official CVE record.

EU & UK References

Vulnerability details

Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to…

more

version 2.1.0 to receive a patch. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Directly enables Endpoint DoS via application exploitation by triggering resource exhaustion on connection drop during multipart uploads.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3304Same product: Expressjs Multer
CVE-2026-3520Same product: Expressjs Multer
CVE-2025-22891Shared CWE-772
CVE-2025-24120Shared CWE-772
CVE-2026-35227Shared CWE-772
CVE-2026-42577Shared CWE-772
CVE-2025-30256Shared CWE-772
CVE-2026-39455Shared CWE-772
CVE-2026-20082Shared CWE-772
CVE-2026-2261Shared CWE-772

Affected Assets

expressjs
multer
≤ 2.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely remediation of the specific flaw in Multer through patching to version 2.1.0.

prevent

Provides denial-of-service protections such as rate limiting or connection throttling to mitigate resource exhaustion from dropped upload connections.

prevent

Enforces resource allocation limits and priorities to prevent exhaustion of memory or other resources triggered by the vulnerability.

References