CVE-2026-2359: Multer vulnerable to Denial of Service via resource exhaustion
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.
Security readout for executives and security teams
Plain-English summary
Multer, a common Node.js upload middleware, can be forced into resource exhaustion if a client drops a connection during a file upload. For businesses, the main risk is service disruption on applications that accept uploads. The published fix is upgrading Multer to version 2.1.0.
Executive priority
Treat as high priority for any public upload service because the stated business impact is outage risk, not data theft. Patch quickly where Multer handles uploads exposed to untrusted users.
Technical view
CVE-2026-2359 is a network-reachable, unauthenticated denial-of-service issue in expressjs/multer before 2.1.0. The CVE cites CWE-772 and CVSS 4.0 score 8.7, with high availability impact and no stated confidentiality or integrity impact. The source bundle names no workaround.
Likely exposure
Exposure is likely in Node.js or Express applications using Multer before 2.1.0 to process multipart/form-data uploads, especially internet-facing upload endpoints that accept untrusted client connections.
Exploitation context
The source bundle does not show CISA KEV listing or cited active exploitation. It describes a denial-of-service condition triggered by dropped upload connections, but does not provide evidence of exploitation in the wild.
Researcher notes
Evidence is strongest for affected package, impact, CVSS, CWE, and fixed version. The provided affected-version structure is inconsistent with the description, so use the advisory description of versions before 2.1.0 as the actionable basis.
Mitigation direction
Upgrade expressjs/multer to version 2.1.0 or later.
Prioritize public upload endpoints and unauthenticated file-upload routes.
If unable to upgrade immediately, check vendor guidance; no workaround is named in sources.
Review downstream vendor advisories if Multer is bundled through a platform package.
Validation and detection
Inventory applications and dependencies for expressjs/multer usage.
Confirm deployed Multer versions are 2.1.0 or later.
Identify routes accepting multipart/form-data uploads from untrusted clients.
Verify dependency lockfiles and runtime containers reflect the patched version.
Check monitoring for availability degradation around upload endpoints.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-772: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-772 · source CWE mapping
Missing Release of Resource after Effective Lifetime
Missing Release of Resource after Effective Lifetime represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.