CVE-2025-48997

EPSS 0.25%

Multer vulnerable to Denial of Service via unhandled exception

Published: 6/5/2025Modified: 2/4/2026

Also known as:GHSA-g5hg-p3ph-g8qgCGA-qmrp-5vvj-r7pr

Description

### Impact A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. ### Patches Users should upgrade to `2.0.1` ### Workarounds None ### References https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9 https://github.com/expressjs/multer/issues/1233 https://github.com/expressjs/multer/pull/1256

Affected packages (1)

npm/multer>= 1.4.4-lts.1, < 2.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References (6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-48997
PATCHhttps://github.com/expressjs/multer
WEBhttps://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9
WEBhttps://github.com/expressjs/multer/issues/1233
WEBhttps://github.com/expressjs/multer/pull/1256
WEBhttps://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg