Skip to content

Commit f263365

Browse files
UlisesGasconLinusUctcpipjonchurch
authored
blog: July 2025 Security Releases (#1994)
Co-authored-by: Linus Unnebäck <[email protected]> Co-authored-by: Chris de Almeida <[email protected]> Co-authored-by: Jon Church <[email protected]>
1 parent 3f02c01 commit f263365

File tree

1 file changed

+46
-0
lines changed

1 file changed

+46
-0
lines changed

_posts/2025-07-31-security-releases.md

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
---
2+
title: July 2025 Security Releases
3+
description: Security releases for Multer and On-headers has been published. We recommend that all users upgrade as soon as possible.
4+
tags: security vulnerabilities
5+
authors:
6+
- name: Ulises Gascón
7+
github: UlisesGascon
8+
---
9+
10+
The Express team has released a new patch version of [Multer](https://www.npmjs.com/package/multer) addressing a high-severity security vulnerability, and a new minor version of [on-headers](https://www.npmjs.com/package/on-headers) addressing a low-severity security vulnerability.
11+
12+
13+
{% include admonitions/warning.html
14+
content="We recommend upgrading to the latest version of Multer and On-headers immediately to secure your applications."
15+
%}
16+
17+
The following vulnerabilities have been addressed:
18+
19+
- [High severity vulnerability CVE-2025-7338 in Multer middleware](#high-severity-vulnerability-cve-2025-7338-in-multer-middleware)
20+
- [Low severity vulnerability CVE-2025-7339 in On-header middleware](#low-severity-vulnerability-cve-2025-7339-in-on-header-middleware)
21+
22+
## High severity vulnerability CVE-2025-7338 in Multer middleware
23+
24+
**[Multer](https://www.npmjs.com/package/multer) versions `>=1.4.4-lts.1` and `<2.0.2` are vulnerable to denial of service via unhandled exception from malformed request.**
25+
26+
This request causes an unhandled exception, leading to a crash of the process.
27+
28+
**Affected versions**: `>=1.4.4-lts.1, <2.0.2`
29+
**Patched version**: `2.0.2`
30+
31+
For more details, see [GHSA-fjgf-rc76-4x9p](https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p).
32+
33+
## Low severity vulnerability CVE-2025-7339 in On-header middleware
34+
35+
**[On-headers](https://www.npmjs.com/package/on-headers) versions `<1.1.0` is vulnerable to http response header manipulation**
36+
37+
A bug in on-headers versions `<1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`
38+
39+
**Affected versions**: `<1.1.0`
40+
**Patched version**: `1.1.0`
41+
42+
For more details, see [GHSA-76c9-3jph-rj3q](https://github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3q).
43+
44+
---
45+
46+
We recommend upgrading to the latest version of Multer and On-headers immediately to secure your applications.

0 commit comments

Comments
 (0)