CVE-2026-3520

High

Published: 04 March 2026

Published

04 March 2026

Modified

09 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0006 19.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3520 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Expressjs Multer. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CP-7 Alternate Processing Site

addresses: CWE-674

Supports resumption at alternate site when uncontrolled recursion causes primary site failure or crash.

SC-5 Denial-of-service Protection

addresses: CWE-674

Prevents uncontrolled recursion that exhausts stack or CPU resources.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

CVE enables remote exploitation of public-facing web middleware (Multer) to trigger application crash via stack overflow, directly mapping to initial access via vulnerable endpoint and endpoint DoS through application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1…

to receive a patch. No known workarounds are available.

Deeper analysisAI

CVE-2026-3520 is a denial-of-service vulnerability affecting Multer, a Node.js middleware library used for handling multipart/form-data, in versions prior to 2.1.1. The flaw enables an attacker to trigger a stack overflow by sending malformed requests, leading to application crashes. It is classified under CWE-674 (Uncontrolled Recursion) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its impact on availability.

The vulnerability can be exploited remotely over the network by unauthenticated attackers with no privileges or user interaction required. By crafting and sending specially malformed multipart/form-data requests to an affected endpoint, an attacker can cause uncontrolled recursion in Multer's parsing logic, resulting in a stack overflow that denies service to legitimate users through process termination or severe performance degradation.

Advisories recommend upgrading to Multer version 2.1.1, which includes a patch addressing the issue, as detailed in the commit at https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752 and the GitHub security advisory at https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2. No workarounds are available, and further details are provided by the OpenJSF CNA at https://cna.openjsf.org/security-advisories.html and the official CVE record at https://www.cve.org/CVERecord?id=CVE-2026-3520.