{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-47935", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-05-14T10:32:43.529Z", "datePublished": "2025-05-19T19:18:38.018Z", "dateUpdated": "2025-05-27T20:28:27.244Z"}, "containers": {"cna": {"title": "Multer vulnerable to Denial of Service via memory leaks from unclosed streams", "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "lang": "en", "description": "CWE-401: Missing Release of Memory after Effective Lifetime", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5"}, {"name": "https://github.com/expressjs/multer/pull/1120", "tags": ["x_refsource_MISC"], "url": "https://github.com/expressjs/multer/pull/1120"}, {"name": "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665", "tags": ["x_refsource_MISC"], "url": "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665"}], "affected": [{"vendor": "expressjs", "product": "multer", "versions": [{"version": "< 2.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-19T19:18:38.018Z"}, "descriptions": [{"lang": "en", "value": "Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-44fp-w29j-9vj5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-20T14:29:22.955614Z", "id": "CVE-2025-47935", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-27T20:28:27.244Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-47935", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-20T14:29:22.955614Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-20T14:29:29.512Z"}}], "cna": {"title": "Multer vulnerable to Denial of Service via memory leaks from unclosed streams", "source": {"advisory": "GHSA-44fp-w29j-9vj5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "expressjs", "product": "multer", "versions": [{"status": "affected", "version": "< 2.0.0"}]}], "references": [{"url": "https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5", "name": "https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/expressjs/multer/pull/1120", "name": "https://github.com/expressjs/multer/pull/1120", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665", "name": "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401: Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-05-19T19:18:38.018Z"}}}, "cveMetadata": {"cveId": "CVE-2025-47935", "state": "PUBLISHED", "dateUpdated": "2025-05-27T20:28:27.244Z", "dateReserved": "2025-05-14T10:32:43.529Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-05-19T19:18:38.018Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Multer is a node.js middleware for handling `multipart/form-data`. Versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. Users should upgrade to 2.0.0 to receive a patch. No known workarounds are available."}, {"lang": "es", "value": "Multer es un middleware de Node.js para gestionar `multipart/form-data`. Las versiones anteriores a la 2.0.0 son vulnerables a problemas de agotamiento de recursos y fugas de memoria debido a un manejo inadecuado de los flujos. Cuando el flujo de solicitud HTTP emite un error, el flujo interno `busboy` no se cierra, lo que infringe las normas de seguridad de flujos de Node.js. Esto provoca la acumulaci\u00f3n de flujos sin cerrar, consumiendo memoria y descriptores de archivo. En caso de fallos continuos o repetidos, esto puede provocar una denegaci\u00f3n de servicio, lo que requiere reinicios manuales del servidor para la recuperaci\u00f3n. Todos los usuarios de Multer que gestionan la carga de archivos se ven potencialmente afectados. Los usuarios deben actualizar a la versi\u00f3n 2.0.0 para recibir una actualizaci\u00f3n. No se conocen workarounds."}], "id": "CVE-2025-47935", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-05-19T20:15:25.863", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665"}, {"source": "security-advisories@github.com", "url": "https://github.com/expressjs/multer/pull/1120"}, {"source": "security-advisories@github.com", "url": "https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}