CVE-2025-47935

Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665
https://github.com/expressjs/multer/pull/1120
https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5

Configurations

No configuration.

History

21 May 2025, 20:25

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-19 20:15

Updated : 2025-05-21 20:25

NVD link : CVE-2025-47935

Mitre link : CVE-2025-47935

CVE.ORG link : CVE-2025-47935

JSON object : View

Products Affected

No product.

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

{"id": "CVE-2025-47935", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-05-19T20:15:25.863", "references": [{"url": "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665", "source": "security-advisories@github.com"}, {"url": "https://github.com/expressjs/multer/pull/1120", "source": "security-advisories@github.com"}, {"url": "https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available."}, {"lang": "es", "value": "Multer es un middleware de Node.js para gestionar `multipart/form-data`. Las versiones anteriores a la 2.0.0 son vulnerables a problemas de agotamiento de recursos y fugas de memoria debido a un manejo inadecuado de los flujos. Cuando el flujo de solicitud HTTP emite un error, el flujo interno `busboy` no se cierra, lo que infringe las normas de seguridad de flujos de Node.js. Esto provoca la acumulaci\u00f3n de flujos sin cerrar, consumiendo memoria y descriptores de archivo. En caso de fallos continuos o repetidos, esto puede provocar una denegaci\u00f3n de servicio, lo que requiere reinicios manuales del servidor para la recuperaci\u00f3n. Todos los usuarios de Multer que gestionan la carga de archivos se ven potencialmente afectados. Los usuarios deben actualizar a la versi\u00f3n 2.0.0 para recibir una actualizaci\u00f3n. No se conocen workarounds."}], "lastModified": "2025-05-21T20:25:16.407", "sourceIdentifier": "security-advisories@github.com"}