CVE-2025-47935 (GCVE-0-2025-47935)
Vulnerability from cvelistv5
Published
2025-05-19 19:18
Modified
2025-05-27 20:28
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
  • CWE-401 - Missing Release of Memory after Effective Lifetime
Summary
Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.
References
Impacted products
Vendor Product Version
expressjs multer Version: < 2.0.0
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-47935",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-20T14:29:22.955614Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-27T20:28:27.244Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "multer",
          "vendor": "expressjs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-401",
              "description": "CWE-401: Missing Release of Memory after Effective Lifetime",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-19T19:18:38.018Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5"
        },
        {
          "name": "https://github.com/expressjs/multer/pull/1120",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/expressjs/multer/pull/1120"
        },
        {
          "name": "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665"
        }
      ],
      "source": {
        "advisory": "GHSA-44fp-w29j-9vj5",
        "discovery": "UNKNOWN"
      },
      "title": "Multer vulnerable to Denial of Service via memory leaks from unclosed streams"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-47935",
    "datePublished": "2025-05-19T19:18:38.018Z",
    "dateReserved": "2025-05-14T10:32:43.529Z",
    "dateUpdated": "2025-05-27T20:28:27.244Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-47935\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-19T20:15:25.863\",\"lastModified\":\"2025-05-21T20:25:16.407\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.\"},{\"lang\":\"es\",\"value\":\"Multer es un middleware de Node.js para gestionar `multipart/form-data`. Las versiones anteriores a la 2.0.0 son vulnerables a problemas de agotamiento de recursos y fugas de memoria debido a un manejo inadecuado de los flujos. Cuando el flujo de solicitud HTTP emite un error, el flujo interno `busboy` no se cierra, lo que infringe las normas de seguridad de flujos de Node.js. Esto provoca la acumulaci\u00f3n de flujos sin cerrar, consumiendo memoria y descriptores de archivo. En caso de fallos continuos o repetidos, esto puede provocar una denegaci\u00f3n de servicio, lo que requiere reinicios manuales del servidor para la recuperaci\u00f3n. Todos los usuarios de Multer que gestionan la carga de archivos se ven potencialmente afectados. Los usuarios deben actualizar a la versi\u00f3n 2.0.0 para recibir una actualizaci\u00f3n. No se conocen workarounds.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-401\"}]}],\"references\":[{\"url\":\"https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/expressjs/multer/pull/1120\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-47935\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-20T14:29:22.955614Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-20T14:29:29.512Z\"}}], \"cna\": {\"title\": \"Multer vulnerable to Denial of Service via memory leaks from unclosed streams\", \"source\": {\"advisory\": \"GHSA-44fp-w29j-9vj5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"expressjs\", \"product\": \"multer\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.0.0\"}]}], \"references\": [{\"url\": \"https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5\", \"name\": \"https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/expressjs/multer/pull/1120\", \"name\": \"https://github.com/expressjs/multer/pull/1120\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665\", \"name\": \"https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-401\", \"description\": \"CWE-401: Missing Release of Memory after Effective Lifetime\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-19T19:18:38.018Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-47935\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-27T20:28:27.244Z\", \"dateReserved\": \"2025-05-14T10:32:43.529Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-19T19:18:38.018Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.