CVE-2026-3304
Published: 27 February 2026
Summary
CVE-2026-3304 is a high-severity Incomplete Cleanup (CWE-459) vulnerability in Expressjs Multer. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Mandates complete sanitization during cleanup so that shared resources (memory, caches, buffers) do not retain data across subjects.
Operational retention schedules mandate complete cleanup of temporary or residual sensitive data after use.
Termination of the non-persistent artifact guarantees cleanup of temporary state, directly countering incomplete cleanup weaknesses.
Fail-safe procedures can explicitly require cleanup of temporary state, resources, or privileges on failure to avoid leaving the system in an inconsistent state.
The explicit delete step when information is no longer needed implements the cleanup that this weakness omits.
Enforces complete cleanup and sanitization steps during disposal, closing gaps that leave data remnants on retired components.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Malformed multipart requests exploit the parsing flaw in Multer to trigger resource exhaustion, directly enabling Application or System Exploitation (T1499.004) for Endpoint DoS.
NVD Description
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0…
more
to receive a patch. No known workarounds are available.
Deeper analysisAI
CVE-2026-3304 is a vulnerability in Multer, a Node.js middleware used for handling multipart/form-data, affecting versions prior to 2.1.0. It enables attackers to trigger a Denial of Service (DoS) by sending malformed requests, which can lead to resource exhaustion. The issue is classified under CWE-459 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An unauthenticated attacker with network access can exploit this vulnerability with low attack complexity and no user interaction required. Exploitation involves crafting and sending malformed multipart/form-data requests to a vulnerable Multer instance, resulting in high-impact disruption to availability through resource exhaustion, while confidentiality and integrity remain unaffected.
Advisories, including those from the OpenJSF CNA and GitHub security notices, recommend upgrading to Multer version 2.1.0, which patches the issue via a specific commit. No known workarounds are available.
Details
- CWE(s)