With over 26.3 million monthly downloads, Multer is a go-to middleware for handling multipart/form-data in Node.jsβespecially for file uploads. But two newly disclosed vulnerabilitiesβCVE-2025-47944 and CVE-2025-47935βhave exposed serious Denial of Service (DoS) risks to applications relying on this popular library.
If your Node.js application handles file uploads using Multer and youβre not running version 2.0.0 or higher, you may be vulnerable.
CVE-2025-47944 (CVSS 7.5): DoS via Malformed Multipart Requests >>>
This vulnerability affects Multer versions β₯ 1.4.4-lts.1 and allows an attacker to craft malicious multipart requests that crash the server.
βThis request causes an unhandled exception, leading to a crash of the process,β the advisory explains.
The issue stems from Multerβs inability to safely handle specially crafted multipart payloads. Attackers donβt need authentication or elevated privilegesβa single malformed upload request can bring down the server.
CVE-2025-47935 (CVSS 7.5): DoS via Memory Leaks from Unclosed Streams >>>
This second vulnerability hits all Multer versions < 2.0.0 and relates to unsafe stream handling:
βWhen the HTTP request stream emits an error, the internal busboy stream is not closedβ¦ This leads to unclosed streams accumulating over time, consuming memory and file descriptors,β the advisory exlains.
In essence, this creates a resource exhaustion vector. Unclosed streams continue to stack up under sustained upload errors, eventually requiring manual restarts to restore service.
This flaw is especially dangerous in high-throughput environments, where persistent upload failuresβmalicious or otherwiseβcan silently grind servers to a halt.