Denial of Service Vulnerability in Multer by Express.js
CVE-2025-7338

7.5HIGH

Key Information:

Vendor: Expressjs
Status: Multer
Vendor: CVE Published:; 17 July 2025

What is CVE-2025-7338?

Multer, a Node.js middleware library for handling multipart/form-data, is susceptible to a Denial of Service (DoS) vulnerability. This issue exists from version 1.4.4-lts.1 and earlier, where an attacker can exploit the system by sending a malformed multipart upload request. Such a request triggers an unhandled exception, causing the application process to crash. To mitigate the risk, users are strongly advised to update to version 2.0.2, which contains the necessary patches to resolve this issue. Currently, there are no alternative workarounds available.

Affected Version(s)

multer 1.4.4-lts.1 < 2.0.2

References

https://github.com/expressjs/multer/security/advisories/G...

https://github.com/expressjs/multer/commit/adfeaf669f0e7f...

https://cna.openjsf.org/security-advisories.html

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 17, 2025
Vulnerability Reserved
Jul 7, 2025

Expressjs

What is CVE-2025-7338?

Affected Version(s)

References

CVSS V3.1

Timeline