CVE-2025-48997 — Multer vulnerable to Denial of Service via unhandled exception

Description

### Impact A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. ### Patches Users should upgrade to `2.0.1` ### Workarounds None ### References https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9 https://github.com/expressjs/multer/issues/1233 https://github.com/expressjs/multer/pull/1256

How to fix CVE-2025-48997

To remediate CVE-2025-48997, upgrade the affected package to a fixed version below.

—upgrade to 2.0.1 or later

Is CVE-2025-48997 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.4.4-lts.1, < 2.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-48997
PATCHgithub.com/expressjs/multer
WEBgithub.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9
WEBgithub.com/expressjs/multer/issues/1233
WEB