Skip to main content

CVE-2025-48997: CWE-248: Uncaught Exception in expressjs multer

High
VulnerabilityCVE-2025-48997cvecve-2025-48997cwe-248
Published: Tue Jun 03 2025 (06/03/2025, 18:21:59 UTC)
Source: CVE Database V5
Vendor/Project: expressjs
Product: multer

Description

Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available.

AI-Powered Analysis

AILast updated: 07/11/2025, 06:16:33 UTC

Technical Analysis

CVE-2025-48997 is a high-severity vulnerability affecting the Multer middleware for Node.js, specifically versions from 1.4.4-lts.1 up to but not including 2.0.1. Multer is widely used in Express.js applications to handle multipart/form-data, typically for file uploads. The vulnerability arises when an attacker sends an upload request containing a file field with an empty string as the field name. This malformed request triggers an unhandled exception within Multer's processing logic, causing the Node.js process to crash. Since the exception is uncaught, the entire application instance using Multer can become unavailable, resulting in a Denial of Service (DoS). The vulnerability is classified under CWE-248 (Uncaught Exception), indicating a failure to properly handle unexpected input conditions. The CVSS 4.0 base score of 8.7 reflects the high impact and ease of exploitation: the attack requires no authentication, no user interaction, and can be executed remotely over the network with low complexity. There are currently no known workarounds other than upgrading to Multer version 2.0.1 or later, where the issue has been patched. No exploits have been observed in the wild yet, but the simplicity of triggering the crash makes it a significant risk for applications relying on vulnerable Multer versions.

Potential Impact

For European organizations, this vulnerability poses a substantial risk to web applications that handle file uploads using Express.js and Multer middleware. The Denial of Service caused by a simple malformed upload request can disrupt business operations, degrade service availability, and potentially lead to reputational damage. Organizations in sectors such as e-commerce, healthcare, finance, and government that rely on Node.js backend services are particularly vulnerable. The impact is amplified in environments where Multer is deployed in single-instance or low-redundancy setups, as the crash can cause complete service outages. Additionally, automated or scripted attacks could be used to repeatedly crash services, leading to sustained downtime. While this vulnerability does not directly compromise confidentiality or integrity, the availability impact can indirectly affect compliance with European regulations like GDPR, which mandate service reliability and data protection. The lack of authentication or user interaction requirements means that attackers can exploit this vulnerability from anywhere, increasing the threat surface for European organizations with internet-facing applications.

Mitigation Recommendations

The primary and most effective mitigation is to upgrade Multer to version 2.0.1 or later, where the vulnerability has been fixed. Organizations should audit their codebases and dependencies to identify usage of vulnerable Multer versions and prioritize patching. In cases where immediate upgrade is not feasible, implementing input validation at the application layer to reject multipart requests with empty field names can reduce exposure. Additionally, deploying robust process management tools such as PM2 or systemd to automatically restart crashed Node.js processes can minimize downtime. Rate limiting and web application firewalls (WAFs) configured to detect and block malformed multipart requests may provide temporary protection. Monitoring application logs for repeated crashes or suspicious upload requests can help detect exploitation attempts early. Finally, organizations should incorporate this vulnerability into their incident response plans and ensure developers are aware of secure coding practices to handle unexpected input gracefully.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-05-29T16:34:07.174Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 683f3ee7182aa0cae28796ba

Added to database: 6/3/2025, 6:28:55 PM

Last enriched: 7/11/2025, 6:16:33 AM

Last updated: 8/11/2025, 8:47:12 AM

Views: 35

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats