7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-47944

GHSA ID

GHSA-4pg4-qvpc-4q3h

EPSS Score

0.16828%

CWE

CWE-248

Published

5/19/2025

Updated

5/19/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-47944

CVE-2025-47944: Multer vulnerable to Denial of Service from maliciously crafted requests

Impact

A vulnerability in Multer versions >=1.4.4-lts.1 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process.

Patches

Users should upgrade to 2.0.0

Workarounds

None

References

https://github.com/expressjs/multer/issues/1176
https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-47944

GHSA ID

GHSA-4pg4-qvpc-4q3h

EPSS Score

0.16828%

CWE

CWE-248

Published

5/19/2025

Updated

5/19/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
multer	npm	>= 1.4.4-lts.1, < 2.0.0	2.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Denial of Service caused by an unhandled exception when processing malformed multipart requests. The patch in lib/make-middleware.js introduces better error handling within the multerMiddleware function (which is returned by makeMiddleware). Specifically, it adds an error listener to the req object and modifies the abortWithError function to ensure the request stream is fully drained and resumed when an error from busboy (the multipart parser) occurs. This prevents the unhandled exception. The makeMiddleware function is the core of Multer's request processing, and the changes directly address the DoS vector by ensuring errors during parsing do not crash the application. The test case added in test/express-integration.js also confirms that the multer().single() middleware (which uses makeMiddleware internally) was the point of failure for malformed requests.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * vuln*r**ility in Mult*r v*rsions >=*.*.*-lts.* *llows *n *tt**k*r to tri***r * **ni*l o* S*rvi** (*oS) *y s*n*in* * m*l*orm** multi-p*rt uplo** r*qu*st. T*is r*qu*st **us*s *n un**n*l** *x**ption, l***in* to * *r*s* o* t** pro**ss. ###

Reasoning

T** vuln*r**ility is * **ni*l o* S*rvi** **us** *y *n un**n*l** *x**ption w**n pro**ssin* m*l*orm** multip*rt r*qu*sts. T** p*t** in `li*/m*k*-mi**l*w*r*.js` intro*u**s **tt*r *rror **n*lin* wit*in t** `mult*rMi**l*w*r*` *un*tion (w*i** is r*turn** *

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-47944: Multer vulnerable to Denial of Service from maliciously crafted requests

Impact

Patches

Workarounds

References

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI