-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability lies in a race condition within the makeMiddleware function in lib/make-middleware.js. When parsing a multipart form, the busboy library emits a 'file' event with a fileStream for each uploaded file. The provided patch adfeaf669f0e7fe953eab191a762164a452d143b shows that the 'error' event handler for this fileStream was previously attached too late. An attacker could send a specially crafted malformed request that causes busboy to emit an error on the fileStream before the application code had a chance to register its error handler. This unhandled error would propagate up, crashing the entire server process, thus causing a Denial of Service. The fix involves moving the fileStream.on('error', ...) block to the very beginning of the 'file' event callback, ensuring that any potential errors are caught immediately. The vulnerable function is identified as makeMiddleware because it orchestrates the setup of the middleware, including the vulnerable event handling logic.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| multer | npm | >= 1.4.4-lts.1, < 2.0.2 | 2.0.2 |
Ongoing coverage of React2Shell