Home > Vulnerability Database > CVE-2025-47935

Mend.io Vulnerability Database

CVE-2025-47935

Good to know:

Date: May 19, 2025

Multer is a node.js middleware for handling "multipart/form-data". Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal "busboy" stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available.

Severity Score

7.5

Related Resources (6)

Url: https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665

Url: https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5

Url: https://github.com/expressjs/multer

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-47935

Url: https://github.com/expressjs/multer/pull/1120

Url: https://www.mend.io/vulnerability-database/CVE-2025-47935

Severity Score

7.5

Weakness Type (CWE)

Missing Release of Memory after Effective Lifetime

CWE-401

Top Fix

Upgrade Version

Upgrade to version multer - 2.0.0;https://github.com/expressjs/multer.git - v2.0.0

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-47935

Good to know:

Date: May 19, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?