CVE-2025-47935

HIGH EPSS 46.6%
Published May 19, 20251y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published May 19, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
46.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-401

References 3

  • github.com https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665
  • github.com https://github.com/expressjs/multer/pull/1120
  • github.com https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.