Two High-Severity Vulnerabilities in Multer Middleware for Node.js
Affected Versions: Multer versions 1.4.4-lts.1 up to but not including 2.0.0
Vulnerabilities:
- CVE-2025-47944: A malformed multipart/form-data upload request can cause an unhandled exception, crashing the Node.js server (Denial of Service).
- CVE-2025-47935: A memory leak triggered by HTTP request stream errors where Multer fails to close internal streams properly, leading to resource exhaustion and potential DoS.
Severity: Both vulnerabilities are high-risk; CVE-2025-47944 scores 7.5 on CVSS v3.1.
Impact:
- Allows attackers to crash applications without requiring any privileges or user interaction.
- Targets the core file-upload functionality, a common attack vector in public-facing apps.
- Can cause service outages affecting millions of applications relying on Multer.
Mitigation:
- No workarounds available.
- Immediate upgrade to Multer version 2.0.0 is required.
- Temporary monitoring of crash logs and system resources is recommended but not sufficient.
Broader Lesson: Even widely-used and trusted Node.js packages can contain critical vulnerabilities, underscoring the need for regular dependency audits, automated scanning, and secure coding practices around untrusted input.
If you run Node.js apps using Multer, updating to v2.0.0 ASAP is essential to protect against these DoS vulnerabilities.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
