February 2026 Security Releases
The Express team has released a new patch version of multer addressing two high-severity security vulnerabilities.
Warning
We recommend upgrading to the latest version of multer to secure your applications.
The following vulnerabilities have been addressed:
CVE-2026-3304 in multer middleware (High)
multer versions <2.1.0 are vulnerable to denial of service via incomplete cleanup
A vulnerability in Multer versions <2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion.
Affected versions: < 2.1.0
Patched version: >= 2.1.0
For more details, see GHSA-xf7r-hgr6-v32p.
CVE-2026-2359 in multer middleware (High)
multer versions <2.1.0 are vulnerable to denial of service via resource exhaustion
A vulnerability in Multer versions <2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion.
Affected versions: < 2.1.0
Patched version: >= 2.1.0
For more details, see GHSA-v52c-386h-88mc.
We recommend upgrading to the latest version of multer to secure your applications.
Edit this page