June 2025 Security Releases
The Express team has released a new patch version of Multer, addressing a high-severity vulnerability that could lead to a Denial of Service (DoS) attack.
Warning
We strongly recommend that all users upgrade to Multer v2.0.1 or later immediately.
This release addresses the following vulnerability:
High severity vulnerability CVE-2025-48997 in Multer middleware
Multer versions >=1.4.4-lts.1 and <2.0.1 are vulnerable to a Denial of Service (DoS) attack.
An attacker can trigger this vulnerability by sending an upload request with an empty string as the field name. This malformed request causes an unhandled exception, leading to a crash of the server process.
Affected versions: >=1.4.4-lts.1 and <2.0.1
Patched version: 2.0.1
For more details, see GHSA-g5hg-p3ph-g8qg.
Edit this page