High severityNVD Advisory· Published Jun 3, 2025· Updated Apr 15, 2026

CVE-2025-48997

Description

Multer is a node.js middleware for handling multipart/form-data. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to 2.0.1 to receive a patch. No known workarounds are available.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
multernpm	>= 1.4.4-lts.1, < 2.0.1	2.0.1

Patches

e259a7ee2141

https://github.com/expressjs/multervia osv

35a3272b6119

Fixes https://github.com/expressjs/multer/issues/1233. Makes multer handle missing field names.

https://github.com/expressjs/multermmozApr 23, 2024via ghsa

commit

2 files changed · +15 −0

lib/make-middleware.js+2 −0 modified

@@ -101,6 +101,8 @@ function makeMiddleware (setup) {
 
     // handle files
     busboy.on('file', function (fieldname, fileStream, { filename, encoding, mimeType }) {
+      if (fieldname == null) return abortWithCode('MISSING_FIELD_NAME')
+
       // don't attach to the files object, if there is no file
       if (!filename) return fileStream.resume()

test/error-handling.js+13 −0 modified

@@ -175,6 +175,19 @@ describe('Error Handling', function () {
     })
   })
 
+  it('should notify of missing field name', function (done) {
+    var form = new FormData()
+    var storage = multer.memoryStorage()
+    var parser = multer({ storage: storage }).single('small0')
+
+    form.append('', util.file('small0.dat'))
+
+    util.submitForm(parser, form, function (err, req) {
+      assert.strictEqual(err.code, 'MISSING_FIELD_NAME')
+      done()
+    })
+  })
+
   it('should report errors from storage engines', function (done) {
     var storage = multer.memoryStorage()

78bfe2abf00a

https://github.com/expressjs/multervia osv

PR #1256

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-g5hg-p3ph-g8qgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-48997ghsaADVISORY
github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9nvdWEB
github.com/expressjs/multer/issues/1233nvdWEB
github.com/expressjs/multer/pull/1256nvdWEB
github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qgnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000