CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47944 – Multer vulnerable to Denial of Service from maliciously crafted requests
https://notcve.org/view.php?id=CVE-2025-47944
19 May 2025 — Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.0 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.0 to receive a patch. No known workarounds are available. • https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665 • CWE-248: Uncaught Exception •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47935 – Multer vulnerable to Denial of Service via memory leaks from unclosed streams
https://notcve.org/view.php?id=CVE-2025-47935
19 May 2025 — Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manua... • https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665 • CWE-401: Missing Release of Memory after Effective Lifetime •