Two high-severity security flaws have been identified in Multer, a popular middleware used in Node.js applications for handling file uploads. The Multer vulnerabilities, tracked as CVE-2025-47944 and CVE-2025-47935, affect all versions from 1.4.4-lts.1 up to but not including 2.0.0.
According to the GitHub post, the two vulnerabilities “allow an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process”.
Details of the High-Risk Multer Vulnerabilities
The first vulnerability, associated with CVE-2025-47944, allows attackers to crash a Node.js application by sending a maliciously crafted multipart/form-data request. This malformed request causes an unhandled exception during parsing, leading to an immediate termination of the server process. According to GitHub advisory GHSA-4pg4-qvpc-4q3h, this flaw scores a 7.5 on the CVSS v3.1 scale, categorizing it as a high-severity issue.
In a separate but equally critical finding, CVE-2025-47935 reveals a memory leak vulnerability in versions prior to 2.0.0. The issue arises when HTTP request streams emit errors, and Multer fails to close the internal busboy stream properly. Over time, this results in unclosed streams accumulating, consuming valuable system resources like memory and file descriptors. The outcome: a potential DoS scenario that could cripple a server under sustained or repeated failure conditions.
Both flaws were initially reported and analyzed by security researcher @ctcpip, with contributions from @max-mathieu, @wesleytodd, @UlisesGascon, and @marco-ippolito. Their collective findings emphasize the severity and ease of exploitation, given that no privileges or user interaction are required to trigger the issues.
Why These Vulnerabilities Matter
What makes these flaws particularly malicious is the middleware’s core function—it handles user-uploaded content. This inherently places it on the front lines of attack surfaces, especially in public-facing applications. As such, even a single malicious request can exploit this weakness, potentially leading to complete service outages.
Multer is deeply embedded in the Node.js ecosystem. With millions of weekly downloads via npm, it powers file uploads for applications ranging from personal websites to enterprise-grade platforms.
According to the official advisories and discussions around issues #1176 and #1120, there are no workarounds available for either vulnerability. The only effective mitigation is upgrading to version 2.0.0, which includes the necessary patches to close these security gaps.
For organizations unable to deploy the update immediately, increased monitoring of crash logs and system resources is recommended as a temporary protection method, though this is by no means a replacement for a proper fix.
Conclusion
The flaws—CVE-2025-47944 and CVE-2025-47935—highlight a broader lesson for the Node.js community: even widely adopted and trusted packages can introduce critical security risks.
To mitigate the risk associated with CVE-2025-47944 and CVE-2025-47935, organizations should apply proactive security practices, including regular dependency audits, automated vulnerability scanning, and adherence to Node.js stream safety guidelines, especially when handling untrusted input like file uploads.
Additionally, all developers and organizations using Multer should immediately upgrade to version 2.0.0, as no workarounds exist.
