CVE-2025-47935

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-47935

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47935.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-47935

Aliases

GHSA-44fp-w29j-9vj5

Published

2025-05-19T20:15:25Z

Modified

2025-05-21T22:53:43.772840Z

Summary

[none]

Details

Multer is a node.js middleware for handling multipart/form-data. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal busboy stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.

References

Affected packages

Git / github.com/expressjs/multer

Affected ranges

Type: GIT
Repo: https://github.com/expressjs/multer
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2c8505f207d923dd8de13a9f93a4563e59933665

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.1.0

v1.2.0

v1.2.1

v1.3.0

v1.3.1

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.4-lts.1

v1.4.5-lts.1

v1.4.5-lts.2