Multer Vulnerable to Denial of Service via Uncontrolled Recursion

🗓️ 05 Mar 2026 00:27:50Reported by GitHub Advisory DatabaseType

Multer vulnerability allows denial of service via uncontrolled recursion; upgrade to version 2.1.1.

Reporter	Title	Published	Views	Family All 28
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in multer-2.0.2.tgz	28 Apr 202619:28	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Node.js module Multer (CVE-2026-2359, CVE-2026-3304 & CVE-2026-3520)	27 Mar 202617:32	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate with watsonx Assistant Cartridge	8 Jun 202607:11	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to vulnerabilities in Node.js dependencies	7 Apr 202616:09	–	ibm
IBM Security Bulletins	Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to multiple vulnerabilities in Node.js	20 Apr 202612:05	–	ibm
ATTACKERKB	CVE-2026-3520	4 Mar 202616:17	–	attackerkb
Chainguard	CVE-2026-3520 vulnerabilities	7 Mar 202601:17	–	cgr
Circl	CVE-2026-3520	4 Mar 202616:43	–	circl
CNNVD	Multer 安全漏洞	4 Mar 202600:00	–	cnnvd
CVE	CVE-2026-3520	4 Mar 202616:17	–	cve

Vulners

Node

Source	Link
github	www.github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-3520
github	www.github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752
cna	www.cna.openjsf.org/security-advisories.html
cve	www.cve.org/CVERecord
github	www.github.com/advisories/GHSA-5528-5vmv-3xc2

05 Mar 2026 00:27Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.17.5

CVSS 48.7

EPSS0.0055

SSVC