SB20260427155 - Multiple vulnerabilities in multer

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Incomplete cleanup (CVE-ID: CVE-2026-3304)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to incomplete cleanup in multer when handling malformed requests. A remote attacker can send malformed requests to cause a denial of service.

The issue may result in resource exhaustion.

2) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-2359)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to missing release of resource after effective lifetime in the file upload handling component when processing a file upload connection that is dropped prematurely. A remote attacker can drop the connection during file upload to cause a denial of service.

The issue can lead to resource exhaustion.

Remediation

Install update from vendor's website.

References

• https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p
• https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc