multer-1.4.5-lts.1.tgz: 7 vulnerabilities (highest severity is: 7.5) #117
Description
Vulnerable Library - multer-1.4.5-lts.1.tgz
Middleware for handling `multipart/form-data`.
Library home page: https://registry.npmjs.org/multer/-/multer-1.4.5-lts.1.tgz
Path to dependency file: /backend-node/package.json
Path to vulnerable library: /backend-node/node_modules/multer/package.json
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (multer version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2026-3520 |  High |
7.5 | multer-1.4.5-lts.1.tgz | Direct | 2.1.1 | ✅ |
| CVE-2026-3304 | High |
7.5 | multer-1.4.5-lts.1.tgz | Direct | 2.1.0 | ✅ |
| CVE-2026-2359 | High |
7.5 | multer-1.4.5-lts.1.tgz | Direct | 2.1.0 | ✅ |
| CVE-2025-7338 | High |
7.5 | multer-1.4.5-lts.1.tgz | Direct | 2.0.2 | ✅ |
| CVE-2025-48997 | High |
7.5 | multer-1.4.5-lts.1.tgz | Direct | 2.0.1 | ✅ |
| CVE-2025-47944 | High |
7.5 | multer-1.4.5-lts.1.tgz | Direct | 2.0.0 | ✅ |
| CVE-2025-47935 | High |
7.5 | multer-1.4.5-lts.1.tgz | Direct | 2.0.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-3520
Vulnerable Library - multer-1.4.5-lts.1.tgz
Middleware for handling `multipart/form-data`.
Library home page: https://registry.npmjs.org/multer/-/multer-1.4.5-lts.1.tgz
Path to dependency file: /backend-node/package.json
Path to vulnerable library: /backend-node/node_modules/multer/package.json
Dependency Hierarchy:
- ❌ multer-1.4.5-lts.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Multer is a node.js middleware for handling "multipart/form-data". A vulnerability in Multer prior to version 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. Users should upgrade to version 2.1.1 to receive a patch. No known workarounds are available.
Publish Date: 2026-03-04
URL: CVE-2026-3520
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-04
Fix Resolution: 2.1.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-3304
Vulnerable Library - multer-1.4.5-lts.1.tgz
Middleware for handling `multipart/form-data`.
Library home page: https://registry.npmjs.org/multer/-/multer-1.4.5-lts.1.tgz
Path to dependency file: /backend-node/package.json
Path to vulnerable library: /backend-node/node_modules/multer/package.json
Dependency Hierarchy:
- ❌ multer-1.4.5-lts.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Multer is a node.js middleware for handling "multipart/form-data". A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.
Publish Date: 2026-02-27
URL: CVE-2026-3304
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-27
Fix Resolution: 2.1.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-2359
Vulnerable Library - multer-1.4.5-lts.1.tgz
Middleware for handling `multipart/form-data`.
Library home page: https://registry.npmjs.org/multer/-/multer-1.4.5-lts.1.tgz
Path to dependency file: /backend-node/package.json
Path to vulnerable library: /backend-node/node_modules/multer/package.json
Dependency Hierarchy:
- ❌ multer-1.4.5-lts.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Multer is a node.js middleware for handling "multipart/form-data". A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to receive a patch. No known workarounds are available.
Publish Date: 2026-02-27
URL: CVE-2026-2359
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-27
Fix Resolution: 2.1.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-7338
Vulnerable Library - multer-1.4.5-lts.1.tgz
Middleware for handling `multipart/form-data`.
Library home page: https://registry.npmjs.org/multer/-/multer-1.4.5-lts.1.tgz
Path to dependency file: /backend-node/package.json
Path to vulnerable library: /backend-node/node_modules/multer/package.json
Dependency Hierarchy:
- ❌ multer-1.4.5-lts.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Multer is a node.js middleware for handling "multipart/form-data". A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available.
Publish Date: 2025-07-17
URL: CVE-2025-7338
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-fjgf-rc76-4x9p
Release Date: 2025-07-17
Fix Resolution: 2.0.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-48997
Vulnerable Library - multer-1.4.5-lts.1.tgz
Middleware for handling `multipart/form-data`.
Library home page: https://registry.npmjs.org/multer/-/multer-1.4.5-lts.1.tgz
Path to dependency file: /backend-node/package.json
Path to vulnerable library: /backend-node/node_modules/multer/package.json
Dependency Hierarchy:
- ❌ multer-1.4.5-lts.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Multer is a node.js middleware for handling "multipart/form-data". A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to "2.0.1" to receive a patch. No known workarounds are available.
Publish Date: 2025-06-03
URL: CVE-2025-48997
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-g5hg-p3ph-g8qg
Release Date: 2025-06-03
Fix Resolution: 2.0.1
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-47944
Vulnerable Library - multer-1.4.5-lts.1.tgz
Middleware for handling `multipart/form-data`.
Library home page: https://registry.npmjs.org/multer/-/multer-1.4.5-lts.1.tgz
Path to dependency file: /backend-node/package.json
Path to vulnerable library: /backend-node/node_modules/multer/package.json
Dependency Hierarchy:
- ❌ multer-1.4.5-lts.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Multer is a node.js middleware for handling "multipart/form-data". A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.0 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.0 to receive a patch. No known workarounds are available.
Publish Date: 2025-05-19
URL: CVE-2025-47944
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-4pg4-qvpc-4q3h
Release Date: 2025-05-19
Fix Resolution: 2.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-47935
Vulnerable Library - multer-1.4.5-lts.1.tgz
Middleware for handling `multipart/form-data`.
Library home page: https://registry.npmjs.org/multer/-/multer-1.4.5-lts.1.tgz
Path to dependency file: /backend-node/package.json
Path to vulnerable library: /backend-node/node_modules/multer/package.json
Dependency Hierarchy:
- ❌ multer-1.4.5-lts.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Multer is a node.js middleware for handling "multipart/form-data". Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal "busboy" stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.
Publish Date: 2025-05-19
URL: CVE-2025-47935
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-44fp-w29j-9vj5
Release Date: 2025-05-19
Fix Resolution: 2.0.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.