Multer DoS Vulnerability (CVE-2025-7338): How a Single Malformed Upload Can Crash Your Node.js App
A single malformed upload request can take down your entire Node.js application—no authentication required. That’s the real-world impact of CVE-2025-7338, a high-severity Denial of Service (DoS) flaw in Multer, the most widely used file upload middleware for Express.js. With over 26 million monthly downloads, Multer is a critical dependency for web and enterprise apps across the Node.js ecosystem. When a vulnerability like this emerges, the potential for widespread disruption is massive.
Technical Information
CVE-2025-7338 is rooted in how Multer handles multipart/form-data—the encoding used for file uploads. The vulnerability affects Multer versions starting from 1.4.4-lts.1 up to, but not including, 2.0.2.
Vulnerability Mechanism:
Multer relies on the Busboy parser to process incoming multipart requests. If a request contains malformed data—such as an empty field name or an improperly terminated boundary—Busboy emits an error event. Prior to version 2.0.2, Multer did not implement proper error handling for these cases. As a result, the error bubbles up as an uncaught exception, instantly terminating the Node.js process.
Attack Vector:
An attacker can exploit this by sending a single HTTP POST request with a crafted payload. For example:
POST /upload HTTP/1.1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary Content-Length: 145 ------WebKitFormBoundary Content-Disposition: form-data; name=""; filename="exploit.txt" Content-Type: text/plain [Malicious payload] ------WebKitFormBoundary--
This malformed request triggers an error in Busboy due to the empty name attribute. Because Multer does not catch this error, the process crashes. No authentication or special privileges are needed—anyone with network access can exploit this flaw.
Root Cause:
The root cause is a missing error handler for Busboy’s error events. When Busboy encounters malformed input, it emits an error. Without a handler, Node.js treats this as a fatal exception, terminating the process.
Affected Middleware Methods:
All Multer middleware methods are affected:
single()array()fields()
Any Express.js or similar application using these methods with a vulnerable Multer version is at risk.
Patch Information
To address the Denial of Service (DoS) vulnerability in Multer versions >=1.4.4-lts.1 and <2.0.2, the development team released version 2.0.2, which includes a critical fix. The vulnerability allowed attackers to crash the application by sending malformed requests that triggered unhandled exceptions.
The patch involves adding proper error handling mechanisms to manage exceptions arising from malformed requests. By implementing these handlers, the application can gracefully handle errors without terminating unexpectedly.
Users are strongly advised to upgrade to Multer version 2.0.2 to mitigate this vulnerability. The update ensures that the application remains robust against such DoS attacks by effectively managing exceptions.
Patch sources:
Affected Systems and Versions
- Product: Multer (Node.js middleware for handling multipart/form-data)
- Affected Versions: All versions from
1.4.4-lts.1up to, but not including,2.0.2 - Vulnerable Configurations: Any application using Multer for file uploads with the above versions, regardless of configuration. All middleware methods (
single,array,fields) are affected.
Vendor Security History
Multer is maintained by the Express.js team and is the de facto standard for file uploads in Node.js. The team has a strong record of responding quickly to security issues. In 2025, three critical vulnerabilities—including CVE-2025-7338—were patched within weeks of disclosure. Previous vulnerabilities (such as CVE-2025-47944 and CVE-2025-47935) were also addressed promptly, reflecting a mature and responsive security posture.
References
- NVD Entry for CVE-2025-7338
- Official CVE Entry
- Multer Security Advisory (GHSA-fjgf-rc76-4x9p)
- Multer Patch Commit
- OpenJS Foundation Security Advisories
Source: This report was created using AI
If you have suggestions for improvement or feedback, please reach out to us at [email protected]