EUVD-2025-16780
GHSA-g5hg-p3ph-g8qg
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1,504 npm packages depend on multer (11 direct, 1,493 indirect)
Ecosystem-wide dependent count for version 1.4.4-lts.1.
DescriptionGitHub Advisory
Multer is a node.js middleware for handling multipart/form-data. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to 2.0.1 to receive a patch. No known workarounds are available.
AnalysisAI
Denial of Service vulnerability in Multer (Node.js multipart form-data middleware) affecting versions 1.4.4-lts.1 through 2.0.0 where an attacker can crash the application process by uploading a file with an empty string field name, triggering an unhandled exception. The vulnerability has a CVSS score of 8.7 indicating high severity, though the impact is limited to availability (DoS) rather than confidentiality or integrity. No active exploitation or public POC has been confirmed at this time, but the low attack complexity and network accessibility make this a practical DoS vector for any exposed Multer instance.
Technical ContextAI
Multer is a widely-deployed Node.js middleware library built on top of busboy that parses and handles multipart/form-data HTTP requests, commonly used in Express.js applications for file uploads. The vulnerability exists in the form field name validation logic—specifically, the middleware fails to properly handle or validate empty string field names ('') in multipart requests, resulting in an unhandled exception that propagates uncaught and crashes the Node.js process. This represents a CWE-248 (Uncaught Exception) weakness where error conditions are not properly caught and handled, allowing attacker-controlled input (empty field name) to trigger a fatal application state. The affected CPE would be: cpe:2.3:a:multer:multer:*:*:*:*:lts:node.js:*:* for versions 1.4.4-lts.1 through 2.0.0, and cpe:2.3:a:multer:multer:*:*:*:*:*:node.js:*:* for the main release branch up to 2.0.0.
RemediationAI
Upgrade Multer to version 2.0.1 or later; priority: CRITICAL; details: Update package.json dependency: "multer": "^2.0.1" and run npm install or yarn upgrade Verification: Confirm patched version in node_modules; details: Run: npm list multer or yarn list multer to verify version 2.0.1+ is installed Testing: Test file upload endpoints with edge cases; details: Send test multipart requests with empty field names ('') to verify the fix prevents crashes; implement automated regression tests Workaround: No known workarounds prior to patching; details: Process restarts/monitoring can mitigate impact temporarily, but upgrading is the only fix Monitoring: Enable process crash logging and alerting; details: Monitor application logs for unhandled exceptions; implement PM2, systemd, or container restart policies to auto-recover from crashes while patch is deployed
More from same product – last 7 days
Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied
Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today