{
  "threat_severity" : "Important",
  "public_date" : "2026-03-04T16:17:18Z",
  "bugzilla" : {
    "description" : "multer: Multer: Denial of Service via malformed requests",
    "id" : "2444584",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2444584"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.", "A denial of service flaw was found in Multer, a Node.js middleware for handling `multipart/form-data`. A remote attacker can send specially crafted malformed requests which may induce a stack overflow. This can lead to a Denial of Service (DoS) making the service unavailable." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Developer Hub 1.8",
    "release_date" : "2026-03-30T00:00:00Z",
    "advisory" : "RHSA-2026:6174",
    "cpe" : "cpe:/a:redhat:rhdh:1.8::el9",
    "package" : "rhdh/rhdh-hub-rhel9:1774545605"
  }, {
    "product_name" : "Red Hat Developer Hub 1.9",
    "release_date" : "2026-04-07T00:00:00Z",
    "advisory" : "RHSA-2026:6802",
    "cpe" : "cpe:/a:redhat:rhdh:1.9::el9",
    "package" : "rhdh/rhdh-hub-rhel9:1775140647"
  } ],
  "package_state" : [ {
    "product_name" : "Self-service automation portal 2",
    "fix_state" : "Affected",
    "package_name" : "ansible-automation-platform/automation-portal",
    "cpe" : "cpe:/a:redhat:ansible_portal:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-3520\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3520\nhttps://cna.openjsf.org/security-advisories.html\nhttps://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752\nhttps://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2" ],
  "name" : "CVE-2026-3520",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}