CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-47935: Multer vulnerable to Denial of Service via memory leaks from unclosed streams

7.5 CVSS

Description

Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.

Classification

CVE ID: CVE-2025-47935

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem Types

CWE-401: Missing Release of Memory after Effective Lifetime

Affected Products

Vendor: expressjs

Product: multer

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 15.3% (scored less or equal to compared to others)

EPSS Date: 2025-06-15 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-47935
https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5
https://github.com/expressjs/multer/pull/1120
https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665

Timeline

2025-05-19 20:40:10 UTC
CVE

Multer vulnerable to Denial of Service via memory leaks from unclosed streams
2025-05-19 23:15:37 UTC
Github Advisory Database (NPM)

[multer] Multer vulnerable to Denial of Service via memory leaks from unclosed streams