Search for packages
| purl | pkg:npm/multer@2.0.0 |
| Next non-vulnerable version | 2.1.1 |
| Latest non-vulnerable version | 3.0.0-alpha.1 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1mcm-t5zu-skbu
Aliases: CVE-2026-2359 GHSA-v52c-386h-88mc |
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available. |
Affected by 1 other vulnerability. |
|
VCID-75q2-tqb2-cub8
Aliases: CVE-2025-48997 GHSA-g5hg-p3ph-g8qg |
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available. |
Affected by 4 other vulnerabilities. |
|
VCID-gq87-pjtd-wyg5
Aliases: CVE-2025-7338 GHSA-fjgf-rc76-4x9p |
Affected by 3 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-t744-ytsg-dydy
Aliases: CVE-2026-3520 GHSA-5528-5vmv-3xc2 |
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available. |
Affected by 0 other vulnerabilities. |
|
VCID-uytp-m7m5-kufp
Aliases: CVE-2026-3304 GHSA-xf7r-hgr6-v32p |
Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1vav-v8et-fubc | Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available. |
CVE-2025-47935
GHSA-44fp-w29j-9vj5 |
| VCID-hqd9-tffc-xqfk | Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.0 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.0 to receive a patch. No known workarounds are available. |
CVE-2025-47944
GHSA-4pg4-qvpc-4q3h |