High severity7.5NVD Advisory· Published Jul 17, 2025· Updated Apr 15, 2026
CVE-2025-7338
CVE-2025-7338
Description
Multer is a node.js middleware for handling multipart/form-data. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
multernpm | >= 1.4.4-lts.1, < 2.0.2 | 2.0.2 |
Patches
12 files changed · +52 −5
lib/make-middleware.js+10 −5 modified@@ -101,6 +101,15 @@ function makeMiddleware (setup) { // handle files busboy.on('file', function (fieldname, fileStream, { filename, encoding, mimeType }) { + var pendingWritesIncremented = false + + fileStream.on('error', function (err) { + if (pendingWritesIncremented) { + pendingWrites.decrement() + } + abortWithError(err) + }) + if (fieldname == null) return abortWithCode('MISSING_FIELD_NAME') // don't attach to the files object, if there is no file @@ -132,6 +141,7 @@ function makeMiddleware (setup) { } var aborting = false + pendingWritesIncremented = true pendingWrites.increment() Object.defineProperty(file, 'stream', { @@ -140,11 +150,6 @@ function makeMiddleware (setup) { value: fileStream }) - fileStream.on('error', function (err) { - pendingWrites.decrement() - abortWithError(err) - }) - fileStream.on('limit', function () { aborting = true abortWithCode('LIMIT_FILE_SIZE', fieldname)
test/express-integration.js+42 −0 modified@@ -196,4 +196,46 @@ describe('Express Integration', function () { req.write(body) req.end() }) + + it('should not crash on malformed multipart body with bad boundary', function (done) { + var upload = multer() + + app.post('/upload3', upload.single('image'), function (req, res) { + res.status(500).end('Request should not be processed') + }) + + app.use(function (err, req, res, next) { + assert.strictEqual(err.message, 'Unexpected end of form') + res.status(200).end('Correct error') + }) + + var boundary = '----FormBoundary' + var body = [ + '------FormBoundary', + 'Content-Disposition: form-data; name="image"; filename=""', + 'Content-Type: application/octet-stream', + '', + '', // empty content + '------FormBoundar' // intentionally malformed final boundary (missing 'y') + ].join('\r\n') + + var options = { + hostname: 'localhost', + port, + path: '/upload3', + method: 'POST', + headers: { + 'Content-Type': 'multipart/form-data; boundary=' + boundary, + 'Content-Length': Buffer.byteLength(body) + } + } + + var req = http.request(options, (res) => { + assert.strictEqual(res.statusCode, 200) + done() + }) + + req.write(body) + req.end() + }) })
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-fjgf-rc76-4x9pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-7338ghsaADVISORY
- cna.openjsf.org/security-advisories.htmlnvdWEB
- github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143bnvdWEB
- github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9pnvdWEB
News mentions
0No linked articles in our index yet.