We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-47935

Multer vulnerable to Denial of Service via memory leaks from unclosed streams



Description

Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.

Reserved 2025-05-14 | Published 2025-05-19 | Updated 2025-05-27 | Assigner GitHub_M


HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-401: Missing Release of Memory after Effective Lifetime

Product status

< 2.0.0
affected

References

github.com/...multer/security/advisories/GHSA-44fp-w29j-9vj5

github.com/expressjs/multer/pull/1120

github.com/...ommit/2c8505f207d923dd8de13a9f93a4563e59933665

cve.org (CVE-2025-47935)

nvd.nist.gov (CVE-2025-47935)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-47935

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.