A critical vulnerability, tracked as CVE-2025-47944, has been discovered in Multer, the widely used Node.js middleware for handling multipart/form-data—A format essential for file uploads in web applications.
Affecting versions from 1.4.4-lts.1 up to but not including 2.0.0, this flaw allows attackers to crash servers by sending specially crafted multipart upload requests.
The vulnerability has been rated as high severity, with a CVSS score of 7.5, and is now patched in Multer version 2.0.0.
Multer is downloaded over 26 million times monthly and is a core dependency in countless Express.js applications. The vulnerability arises from improper handling of malformed multipart payloads.
When such a request is received, Multer throws an unhandled exception, causing the entire Node.js process to crash.
This opens the door to Denial of Service (DoS) attacks, where a single unauthenticated request can bring down critical services.
Technical Analysis: CWE-248 and Exploit Conditions
According to the report, the vulnerability is classified under CWE-248 (Uncaught Exception), indicating that Multer fails to properly handle exceptional conditions triggered by malformed requests.
Attackers do not need authentication or elevated privileges—simply sending a malformed multipart request is sufficient to exploit the bug. The attack vector is remote, and no user interaction is required.
Technical details:
- Affected versions:
>=1.4.4-lts.1, <2.0.0 - Patched version:
2.0.0 - Attack vector: Remote (network)
- Privileges required: None
- User interaction: None
- Impact: Complete process crash (Denial of Service)
No public proof-of-concept exploit has been released, but the risk is significant due to the ease of exploitation and the widespread use of Multer.
Example of vulnerable code:
javascriptconst multer = require('multer');
const upload = multer({ dest: 'uploads/' });
app.post('/upload', upload.single('file'), (req, res) => {
res.send('File uploaded!');
});
If the server receives a maliciously crafted multipart request, it can crash, making the endpoint unavailable until the process is restarted.
Remediation: Upgrade and Best Practices
There are no workarounds for this vulnerability.
The only effective mitigation is to upgrade Multer to version 2.0.0 or later, which includes a patch for this issue.
To upgrade, run:
bashnpm install [email protected]
The Express.js team and security advisories strongly recommend all users audit their applications for vulnerable Multer versions and upgrade immediately.
Additional best practices include:
- Implementing input validation for file upload endpoints
- Monitoring server logs for unusual upload patterns
- Applying rate limiting to file upload routes
Failure to upgrade leaves applications exposed to trivial DoS attacks, potentially resulting in prolonged downtime and disruption of business-critical services.
Summary Table
| Affected Versions | Fixed Version | CVE ID | Severity | Attack Vector | Workaround |
|---|---|---|---|---|---|
| >=1.4.4-lts.1, <2.0.0 | 2.0.0 | CVE-2025-47944 | High | Remote | None |
Administrators and developers are urged to update their dependencies without delay to ensure the continued security and reliability of their Node.js applications.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=Affecting versions from 1.4.4-lts.1 up to but not including 2.0.0, this flaw allows attackers to crash servers by sending specially crafted multipart upload requests.){kind=link}