Alert IDs:
- 0a6031d9-c7bf-4060-b1d3-c6f565286458
- 14bafa2b-edd5-40f8-abe8-2b51f6212e1a
- 69f817cc-cc9b-4623-acf7-5b9ef37bf9c8
- 6f83dbb3-5625-4d55-ae62-53896df4496d
- a3482da3-8804-4762-8d7a-aaffe74292ed
- b47a3e28-aaa5-440d-a4c6-64c7953bee5d
- ddfae057-c093-46f6-908d-b6628687e1eb
Vulnerabilities in multer
Release: March19
Total Vulnerabilities: 7
Severity: HIGH (Score: 5.9)
Description:
Impact
A vulnerability in Multer versions >= 1.4.4-lts.1, < 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed request. This request causes an unhandled exception, leading to a crash of the process.
Patches
Users should upgrade to 2.0.2
Workarounds
None
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-7338
Alert ID: 0a6031d9-c7bf-4060-b1d3-c6f565286458
Severity: HIGH (Score: 5.9)
Description:
Impact
Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal busboy stream is not closed, violating Node.js stream safety guidance.
This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted.
Patches
Users should upgrade to 2.0.0
Workarounds
None
References
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-47935
Alert ID: 14bafa2b-edd5-40f8-abe8-2b51f6212e1a
Severity: HIGH (Score: 0.0)
Description:
Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3520
Alert ID: 69f817cc-cc9b-4623-acf7-5b9ef37bf9c8
Severity: HIGH (Score: 0.0)
Description:
Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3304
Alert ID: 6f83dbb3-5625-4d55-ae62-53896df4496d
Severity: HIGH (Score: 0.0)
Description:
Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-2359
Alert ID: a3482da3-8804-4762-8d7a-aaffe74292ed
Severity: HIGH (Score: 5.9)
Description:
Impact
A vulnerability in Multer versions >=1.4.4-lts.1 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process.
Patches
Users should upgrade to 2.0.0
Workarounds
None
References
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-47944
Alert ID: b47a3e28-aaa5-440d-a4c6-64c7953bee5d
Severity: HIGH (Score: 0.0)
Description:
Impact
A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process.
Patches
Users should upgrade to 2.0.1
Workarounds
None
References
expressjs/multer@35a3272
expressjs/multer#1233
expressjs/multer#1256
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-48997
Alert ID: ddfae057-c093-46f6-908d-b6628687e1eb
Alert IDs:
Vulnerabilities in multer
Release: March19
Total Vulnerabilities: 7
1. CVE-2025-7338
Severity: HIGH (Score: 5.9)
Description:
Impact
A vulnerability in Multer versions >= 1.4.4-lts.1, < 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed request. This request causes an unhandled exception, leading to a crash of the process.
Patches
Users should upgrade to
2.0.2Workarounds
None
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-7338
Alert ID: 0a6031d9-c7bf-4060-b1d3-c6f565286458
2. CVE-2025-47935
Severity: HIGH (Score: 5.9)
Description:
Impact
Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal
busboystream is not closed, violating Node.js stream safety guidance.This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted.
Patches
Users should upgrade to
2.0.0Workarounds
None
References
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-47935
Alert ID: 14bafa2b-edd5-40f8-abe8-2b51f6212e1a
3. CVE-2026-3520
Severity: HIGH (Score: 0.0)
Description:
Multer is a node.js middleware for handling
multipart/form-data. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3520
Alert ID: 69f817cc-cc9b-4623-acf7-5b9ef37bf9c8
4. CVE-2026-3304
Severity: HIGH (Score: 0.0)
Description:
Multer is a node.js middleware for handling
multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-3304
Alert ID: 6f83dbb3-5625-4d55-ae62-53896df4496d
5. CVE-2026-2359
Severity: HIGH (Score: 0.0)
Description:
Multer is a node.js middleware for handling
multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-2359
Alert ID: a3482da3-8804-4762-8d7a-aaffe74292ed
6. CVE-2025-47944
Severity: HIGH (Score: 5.9)
Description:
Impact
A vulnerability in Multer versions >=1.4.4-lts.1 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process.
Patches
Users should upgrade to
2.0.0Workarounds
None
References
errorevent from busboy can crash http servers expressjs/multer#1176Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-47944
Alert ID: b47a3e28-aaa5-440d-a4c6-64c7953bee5d
7. CVE-2025-48997
Severity: HIGH (Score: 0.0)
Description:
Impact
A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process.
Patches
Users should upgrade to
2.0.1Workarounds
None
References
expressjs/multer@35a3272
expressjs/multer#1233
expressjs/multer#1256
Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-48997
Alert ID: ddfae057-c093-46f6-908d-b6628687e1eb