Alert IDs:
- 44fe99fb-4040-4f7c-9937-3aeeafadf4ab
- 68633453-d6d3-46ca-9cd7-9d50a8ec758d
- 81642bcf-a9e4-466f-9ae1-4c8439fd92ec
- 8754e631-093b-49a8-ad9a-18b7db70f4f6
- 9c70c368-4e8b-430f-acce-3408c583339e
- c325f465-a0be-4576-920c-b4f91452626e
- fa55affe-6f7e-4b7b-b4a2-d8e234b72459
Vulnerabilities in multer
Release: March19 release 2
Total Vulnerabilities: 7
Severity: HIGH (Score: 0.0)
Description:
Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-2359
Alert ID: 44fe99fb-4040-4f7c-9937-3aeeafadf4ab
Severity: HIGH (Score: 0.0)
Description:
Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3520
Alert ID: 68633453-d6d3-46ca-9cd7-9d50a8ec758d
Severity: HIGH (Score: 5.9)
Description:
Impact
A vulnerability in Multer versions >=1.4.4-lts.1 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process.
Patches
Users should upgrade to 2.0.0
Workarounds
None
References
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-47944
Alert ID: 81642bcf-a9e4-466f-9ae1-4c8439fd92ec
Severity: HIGH (Score: 0.0)
Description:
Impact
A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process.
Patches
Users should upgrade to 2.0.1
Workarounds
None
References
expressjs/multer@35a3272
expressjs/multer#1233
expressjs/multer#1256
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-48997
Alert ID: 8754e631-093b-49a8-ad9a-18b7db70f4f6
Severity: HIGH (Score: 5.9)
Description:
Impact
Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal busboy stream is not closed, violating Node.js stream safety guidance.
This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted.
Patches
Users should upgrade to 2.0.0
Workarounds
None
References
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-47935
Alert ID: 9c70c368-4e8b-430f-acce-3408c583339e
Severity: HIGH (Score: 0.0)
Description:
Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3304
Alert ID: c325f465-a0be-4576-920c-b4f91452626e
Severity: HIGH (Score: 5.9)
Description:
Impact
A vulnerability in Multer versions >= 1.4.4-lts.1, < 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed request. This request causes an unhandled exception, leading to a crash of the process.
Patches
Users should upgrade to 2.0.2
Workarounds
None
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-7338
Alert ID: fa55affe-6f7e-4b7b-b4a2-d8e234b72459
Alert IDs:
Vulnerabilities in multer
Release: March19 release 2
Total Vulnerabilities: 7
1. CVE-2026-2359
Severity: HIGH (Score: 0.0)
Description:
Multer is a node.js middleware for handling
multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-2359
Alert ID: 44fe99fb-4040-4f7c-9937-3aeeafadf4ab
2. CVE-2026-3520
Severity: HIGH (Score: 0.0)
Description:
Multer is a node.js middleware for handling
multipart/form-data. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3520
Alert ID: 68633453-d6d3-46ca-9cd7-9d50a8ec758d
3. CVE-2025-47944
Severity: HIGH (Score: 5.9)
Description:
Impact
A vulnerability in Multer versions >=1.4.4-lts.1 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process.
Patches
Users should upgrade to
2.0.0Workarounds
None
References
errorevent from busboy can crash http servers expressjs/multer#1176Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-47944
Alert ID: 81642bcf-a9e4-466f-9ae1-4c8439fd92ec
4. CVE-2025-48997
Severity: HIGH (Score: 0.0)
Description:
Impact
A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process.
Patches
Users should upgrade to
2.0.1Workarounds
None
References
expressjs/multer@35a3272
expressjs/multer#1233
expressjs/multer#1256
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-48997
Alert ID: 8754e631-093b-49a8-ad9a-18b7db70f4f6
5. CVE-2025-47935
Severity: HIGH (Score: 5.9)
Description:
Impact
Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal
busboystream is not closed, violating Node.js stream safety guidance.This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted.
Patches
Users should upgrade to
2.0.0Workarounds
None
References
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-47935
Alert ID: 9c70c368-4e8b-430f-acce-3408c583339e
6. CVE-2026-3304
Severity: HIGH (Score: 0.0)
Description:
Multer is a node.js middleware for handling
multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3304
Alert ID: c325f465-a0be-4576-920c-b4f91452626e
7. CVE-2025-7338
Severity: HIGH (Score: 5.9)
Description:
Impact
A vulnerability in Multer versions >= 1.4.4-lts.1, < 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed request. This request causes an unhandled exception, leading to a crash of the process.
Patches
Users should upgrade to
2.0.2Workarounds
None
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-7338
Alert ID: fa55affe-6f7e-4b7b-b4a2-d8e234b72459