Cyber Resilience

CVE-2026-3520

HighDDoSUpdated

Published: 04 March 2026

Published
04 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0055 41.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3520 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Expressjs Multer. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-3520 is a denial-of-service vulnerability affecting Multer, a Node.js middleware library used for handling multipart/form-data, in versions prior to 2.1.1. The flaw enables an attacker to trigger a stack overflow by sending malformed requests, leading to application crashes. It is classified under CWE-674 (Uncontrolled Recursion) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its impact on availability.

The vulnerability can be exploited remotely over the network by unauthenticated attackers with no privileges or user interaction required. By crafting and sending specially malformed multipart/form-data requests to an affected endpoint, an attacker can cause uncontrolled recursion in Multer's parsing logic, resulting in a stack overflow that denies service to legitimate users through process termination or severe performance degradation.

Advisories recommend upgrading to Multer version 2.1.1, which includes a patch addressing the issue, as detailed in the commit at https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752 and the GitHub security advisory at https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2. No workarounds are available, and further details are provided by the OpenJSF CNA at https://cna.openjsf.org/security-advisories.html and the official CVE record at https://www.cve.org/CVERecord?id=CVE-2026-3520.

EU & UK References

Vulnerability details

Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1…

more

to receive a patch. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote exploitation of public-facing web middleware (Multer) to trigger application crash via stack overflow, directly mapping to initial access via vulnerable endpoint and endpoint DoS through application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2359Same product: Expressjs Multer
CVE-2026-3304Same product: Expressjs Multer
CVE-2026-40324Shared CWE-674
CVE-2026-1069Shared CWE-674
CVE-2026-33508Shared CWE-674
CVE-2025-70955Shared CWE-674
CVE-2026-31899Shared CWE-674
CVE-2026-33908Shared CWE-674
CVE-2026-42039Shared CWE-674
CVE-2024-57699Shared CWE-674

Affected Assets

expressjs
multer
≤ 2.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of software flaws, such as upgrading Multer to version 2.1.1 to patch the uncontrolled recursion causing stack overflow.

preventdetect

Implements denial-of-service protections to counter attacks exploiting malformed multipart/form-data requests that trigger application crashes.

prevent

Requires validation of incoming information inputs to reject malformed multipart/form-data requests before they reach the vulnerable Multer parsing logic.

References