Miggo Logo

CVE-2025-47944: Multer vulnerable to Denial of Service from maliciously crafted requests

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.16828%
Published
5/19/2025
Updated
5/19/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
multernpm>= 1.4.4-lts.1, < 2.0.02.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a Denial of Service caused by an unhandled exception when processing malformed multipart requests. The patch in lib/make-middleware.js introduces better error handling within the multerMiddleware function (which is returned by makeMiddleware). Specifically, it adds an error listener to the req object and modifies the abortWithError function to ensure the request stream is fully drained and resumed when an error from busboy (the multipart parser) occurs. This prevents the unhandled exception. The makeMiddleware function is the core of Multer's request processing, and the changes directly address the DoS vector by ensuring errors during parsing do not crash the application. The test case added in test/express-integration.js also confirms that the multer().single() middleware (which uses makeMiddleware internally) was the point of failure for malformed requests.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * vuln*r**ility in Mult*r v*rsions >=*.*.*-lts.* *llows *n *tt**k*r to tri***r * **ni*l o* S*rvi** (*oS) *y s*n*in* * m*l*orm** multi-p*rt uplo** r*qu*st. T*is r*qu*st **us*s *n un**n*l** *x**ption, l***in* to * *r*s* o* t** pro**ss. ###

Reasoning

T** vuln*r**ility is * **ni*l o* S*rvi** **us** *y *n un**n*l** *x**ption w**n pro**ssin* m*l*orm** multip*rt r*qu*sts. T** p*t** in `li*/m*k*-mi**l*w*r*.js` intro*u**s **tt*r *rror **n*lin* wit*in t** `mult*rMi**l*w*r*` *un*tion (w*i** is r*turn** *