CVE-2025-48997 is a high-severity vulnerability affecting the Multer middleware for Node.js, specifically versions from 1.4.4-lts.1 up to but not including 2.0.1. Multer is widely used in Express.js applications to handle multipart/form-data, typically for file uploads. The vulnerability arises when an attacker sends an upload request containing a file field with an empty string as the field name. This malformed request triggers an unhandled exception within Multer's processing logic, causing the Node.js process to crash. Since the exception is uncaught, the entire application instance using Multer can become unavailable, resulting in a Denial of Service (DoS). The vulnerability is classified under CWE-248 (Uncaught Exception), indicating a failure to properly handle unexpected input conditions. The CVSS 4.0 base score of 8.7 reflects the high impact and ease of exploitation: the attack requires no authentication, no user interaction, and can be executed remotely over the network with low complexity. There are currently no known workarounds other than upgrading to Multer version 2.0.1 or later, where the issue has been patched. No exploits have been observed in the wild yet, but the simplicity of triggering the crash makes it a significant risk for applications relying on vulnerable Multer versions.

For European organizations, this vulnerability poses a substantial risk to web applications that handle file uploads using Express.js and Multer middleware. The Denial of Service caused by a simple malformed upload request can disrupt business operations, degrade service availability, and potentially lead to reputational damage. Organizations in sectors such as e-commerce, healthcare, finance, and government that rely on Node.js backend services are particularly vulnerable. The impact is amplified in environments where Multer is deployed in single-instance or low-redundancy setups, as the crash can cause complete service outages. Additionally, automated or scripted attacks could be used to repeatedly crash services, leading to sustained downtime. While this vulnerability does not directly compromise confidentiality or integrity, the availability impact can indirectly affect compliance with European regulations like GDPR, which mandate service reliability and data protection. The lack of authentication or user interaction requirements means that attackers can exploit this vulnerability from anywhere, increasing the threat surface for European organizations with internet-facing applications.

The primary and most effective mitigation is to upgrade Multer to version 2.0.1 or later, where the vulnerability has been fixed. Organizations should audit their codebases and dependencies to identify usage of vulnerable Multer versions and prioritize patching. In cases where immediate upgrade is not feasible, implementing input validation at the application layer to reject multipart requests with empty field names can reduce exposure. Additionally, deploying robust process management tools such as PM2 or systemd to automatically restart crashed Node.js processes can minimize downtime. Rate limiting and web application firewalls (WAFs) configured to detect and block malformed multipart requests may provide temporary protection. Monitoring application logs for repeated crashes or suspicious upload requests can help detect exploitation attempts early. Finally, organizations should incorporate this vulnerability into their incident response plans and ensure developers are aware of secure coding practices to handle unexpected input gracefully.