CVE-2026-3520
Published: 04 March 2026
Summary
CVE-2026-3520 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Expressjs Multer. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-3520 is a denial-of-service vulnerability affecting Multer, a Node.js middleware library used for handling multipart/form-data, in versions prior to 2.1.1. The flaw enables an attacker to trigger a stack overflow by sending malformed requests, leading to application crashes. It is classified under CWE-674 (Uncontrolled Recursion) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its impact on availability.
The vulnerability can be exploited remotely over the network by unauthenticated attackers with no privileges or user interaction required. By crafting and sending specially malformed multipart/form-data requests to an affected endpoint, an attacker can cause uncontrolled recursion in Multer's parsing logic, resulting in a stack overflow that denies service to legitimate users through process termination or severe performance degradation.
Advisories recommend upgrading to Multer version 2.1.1, which includes a patch addressing the issue, as detailed in the commit at https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752 and the GitHub security advisory at https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2. No workarounds are available, and further details are provided by the OpenJSF CNA at https://cna.openjsf.org/security-advisories.html and the official CVE record at https://www.cve.org/CVERecord?id=CVE-2026-3520.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9423
Vulnerability details
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1…
more
to receive a patch. No known workarounds are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing web middleware (Multer) to trigger application crash via stack overflow, directly mapping to initial access via vulnerable endpoint and endpoint DoS through application exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of software flaws, such as upgrading Multer to version 2.1.1 to patch the uncontrolled recursion causing stack overflow.
Implements denial-of-service protections to counter attacks exploiting malformed multipart/form-data requests that trigger application crashes.
Requires validation of incoming information inputs to reject malformed multipart/form-data requests before they reach the vulnerable Multer parsing logic.