Fluid Attacks Database

Description

Multer vulnerable to Denial of Service via unhandled exception

Impact

A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process.

Patches

Users should upgrade to 2.0.1

Workarounds

None

References

https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9 https://github.com/expressjs/multer/issues/1233 https://github.com/expressjs/multer/pull/1256

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	multer	>=1.4.4-lts.1 <2.0.1	2.0.1

Aliases

1. CVE-2025-489972. NVD-2025-489973. OSV-2025-489974. GHSA-g5hg-p3ph-g8qg5. GCVE-2025-48997

References

1. https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg2. https://github.com/expressjs/multer/issues/12333. https://github.com/expressjs/multer/pull/12564. https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.