-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a Denial of Service caused by an unhandled exception when processing malformed multipart requests. The patch in lib/make-middleware.js introduces better error handling within the multerMiddleware function (which is returned by makeMiddleware). Specifically, it adds an error listener to the req object and modifies the abortWithError function to ensure the request stream is fully drained and resumed when an error from busboy (the multipart parser) occurs. This prevents the unhandled exception. The makeMiddleware function is the core of Multer's request processing, and the changes directly address the DoS vector by ensuring errors during parsing do not crash the application. The test case added in test/express-integration.js also confirms that the multer().single() middleware (which uses makeMiddleware internally) was the point of failure for malformed requests.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| multer | npm | >= 1.4.4-lts.1, < 2.0.0 | 2.0.0 |
JavaScriptJavaScriptOngoing coverage of React2Shell