Skip to content

Commit 658ab65

Browse files
UlisesGasconctcpip
UlisesGascon
and
ctcpip
authored
blog: create "May 2025 Security Releases" (#1909)
Co-authored-by: Chris de Almeida <[email protected]>
1 parent cd9e6a3 commit 658ab65

File tree

1 file changed

+49
-0
lines changed

1 file changed

+49
-0
lines changed

_posts/2025-05-19-security-releases.md

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
---
2+
title: May 2025 Security Releases
3+
description: Security release for Multer has been published. We recommend that all users upgrade as soon as possible.
4+
tags: security vulnerabilities
5+
author: Ulises Gascón
6+
---
7+
8+
The Express team has released a new major version of [Multer](https://www.npmjs.com/package/multer) addressing two high-severity security vulnerabilities. This update improves the reliability and security of handling file uploads in Express applications.
9+
10+
{% include admonitions/warning.html
11+
content="We strongly recommend that you upgrade to Multer v2.0.0 or later as soon as possible."
12+
%}
13+
14+
The following vulnerabilities have been addressed:
15+
16+
- [High severity vulnerability CVE-2025-47935 in Multer middleware](#high-severity-vulnerability-cve-2025-47935-in-multer-middleware)
17+
- [High severity vulnerability CVE-2025-47944 in Multer middleware](#high-severity-vulnerability-cve-2025-47944-in-multer-middleware)
18+
19+
## High severity vulnerability CVE-2025-47935 in Multer middleware
20+
21+
**[Multer](https://www.npmjs.com/package/multer) versions `<2.0.0` are vulnerable to denial of service due to a memory leak caused by improper stream handling.**
22+
23+
When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance.
24+
25+
This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted.
26+
27+
**Affected versions**: `<2.0.0`
28+
**Patched version**: `>=2.0.0`
29+
30+
For more details, see [GHSA-44fp-w29j-9vj5](https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5).
31+
32+
## High severity vulnerability CVE-2025-47944 in Multer middleware
33+
34+
**[Multer](https://www.npmjs.com/package/multer) versions `>=1.4.4-lts.1` and `<2.0.0` are vulnerable to a denial of service via a malformed multipart request.**
35+
36+
A specially crafted request can cause an unhandled exception inside Multer, resulting in a crash of the server process.
37+
38+
**Affected versions**: `>=1.4.4-lts.1` and `<2.0.0`
39+
**Patched version**: `>=2.0.0`
40+
41+
For more details, see [GHSA-4pg4-qvpc-4q3h](https://github.com/expressjs/multer/security/advisories/GHSA-4pg4-qvpc-4q3h).
42+
43+
---
44+
45+
**Multer v2.0.0** also introduces a breaking change:
46+
47+
- The minimum supported Node.js version is now **10.16.0**.
48+
49+
We recommend upgrading to the latest version of Multer immediately to secure your applications.

0 commit comments

Comments
 (0)