EUVD-2025-16780

| CVE-2025-48997 HIGH
2025-06-03 [email protected] GHSA-g5hg-p3ph-g8qg
8.7
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 14, 2026 - 17:04 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 17:04 euvd
EUVD-2025-16780
CVE Published
Jun 03, 2025 - 19:15 nvd
HIGH 8.7

Tags

Node.js Denial Of Service Express Redhat

Description

Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available.

Analysis

Denial of Service vulnerability in Multer (Node.js multipart form-data middleware) affecting versions 1.4.4-lts.1 through 2.0.0 where an attacker can crash the application process by uploading a file with an empty string field name, triggering an unhandled exception. The vulnerability has a CVSS score of 8.7 indicating high severity, though the impact is limited to availability (DoS) rather than confidentiality or integrity. No active exploitation or public POC has been confirmed at this time, but the low attack complexity and network accessibility make this a practical DoS vector for any exposed Multer instance.

Technical Context

Multer is a widely-deployed Node.js middleware library built on top of busboy that parses and handles multipart/form-data HTTP requests, commonly used in Express.js applications for file uploads. The vulnerability exists in the form field name validation logic—specifically, the middleware fails to properly handle or validate empty string field names ('') in multipart requests, resulting in an unhandled exception that propagates uncaught and crashes the Node.js process. This represents a CWE-248 (Uncaught Exception) weakness where error conditions are not properly caught and handled, allowing attacker-controlled input (empty field name) to trigger a fatal application state. The affected CPE would be: cpe:2.3:a:multer:multer:*:*:*:*:lts:node.js:*:* for versions 1.4.4-lts.1 through 2.0.0, and cpe:2.3:a:multer:multer:*:*:*:*:*:node.js:*:* for the main release branch up to 2.0.0.

Affected Products

Multer (1.4.4-lts.1 to 2.0.0 (inclusive))

Remediation

Upgrade Multer to version 2.0.1 or later; priority: CRITICAL; details: Update package.json dependency: "multer": "^2.0.1" and run npm install or yarn upgrade Verification: Confirm patched version in node_modules; details: Run: npm list multer or yarn list multer to verify version 2.0.1+ is installed Testing: Test file upload endpoints with edge cases; details: Send test multipart requests with empty field names ('') to verify the fix prevents crashes; implement automated regression tests Workaround: No known workarounds prior to patching; details: Process restarts/monitoring can mitigate impact temporarily, but upgrading is the only fix Monitoring: Enable process crash logging and alerting; details: Monitor application logs for unhandled exceptions; implement PM2, systemd, or container restart policies to auto-recover from crashes while patch is deployed

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Vendor Status

Share

EUVD-2025-16780 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy