CVE-2025-48997

CVE-2025-48997

Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available.

Published Jun 4, 2025

https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg

CVSS ScoreHigh

8.7

Vulnerabilities

CVE-2025-48997

Published Jun 4, 2025

https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg

CVSS ScoreHigh

8.7

CVE-2025-48997 Security Details

CVE ID: CVE-2025-48997
CWE: CWE-248
CVE Description: Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available.
Published: Jun 4, 2025
CVSS Score & Severity: 8.7High
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score: 0.249%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: anon{10,17,a77b15c,f}()
JSVulnerable params: 0
makeMiddleware()
JSVulnerable params: 0
Affected Ecosystems: affected
Source: National Vulnerability Database
References: https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qgPROJECT

CVE-2025-48997 Security Details

CVE ID: CVE-2025-48997
CWE: CWE-248
CVE Description: Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available.
Published: Jun 4, 2025
CVSS Score & Severity: 8.7High
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
EPSS Score: 0.249%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: anon{10,17,a77b15c,f}()
JSVulnerable params: 0
makeMiddleware()
JSVulnerable params: 0
Affected Ecosystems: affected
Source: National Vulnerability Database
References: https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qgPROJECT

Find vulnerabilities. Fix fast with AI.

CVE-2025-48997

CVE-2025-48997 Security Details

CVE-2025-48997 Security Details