CVE-2025-47944

HIGH7.5EPSS 0.04%

Multer vulnerable to Denial of Service from maliciously crafted requests

Published: 5/19/2025Modified: 2/4/2026

Also known as:GHSA-4pg4-qvpc-4q3hCGA-3pfw-h9j7-554q

Description

### Impact A vulnerability in Multer versions >=1.4.4-lts.1 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. ### Patches Users should upgrade to `2.0.0` ### Workarounds None ### References - https://github.com/expressjs/multer/issues/1176 - https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665

Affected packages (1)

npm/multer>= 1.4.4-lts.1, < 2.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-47944
PATCHhttps://github.com/expressjs/multer
WEBhttps://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665
WEBhttps://github.com/expressjs/multer/issues/1176
WEBhttps://github.com/expressjs/multer/security/advisories/GHSA-4pg4-qvpc-4q3h