CVE-2025-47935 Overview
CVE-2025-47935 is a memory leak and resource exhaustion vulnerability affecting Multer, a popular Node.js middleware used for handling multipart/form-data in file upload scenarios. Versions prior to 2.0.0 contain improper stream handling that can lead to denial of service conditions.
The vulnerability stems from a failure to properly close the internal busboy stream when the HTTP request stream emits an error. This violates Node.js stream safety guidance and results in unclosed streams accumulating over time. As these streams persist, they consume both memory and file descriptors, eventually leading to resource exhaustion.
Critical Impact
Under sustained or repeated failure conditions, this vulnerability can cause denial of service, requiring manual server restarts to recover. All applications using Multer for file uploads are potentially impacted.
Affected Products
- Multer versions prior to 2.0.0
- Node.js applications using vulnerable Multer middleware for file uploads
- Express.js applications implementing multipart/form-data handling via Multer
Discovery Timeline
- 2025-05-19 - CVE-2025-47935 published to NVD
- 2025-05-21 - Last updated in NVD database
Technical Details for CVE-2025-47935
Vulnerability Analysis
This vulnerability is classified under CWE-401 (Missing Release of Memory after Effective Lifetime), indicating a resource management flaw where allocated memory is not properly released when it is no longer needed.
The core issue lies in Multer's stream handling implementation. When processing multipart file uploads, Multer relies on the busboy library to parse incoming data streams. Under normal operation, these streams are created, processed, and then properly closed. However, when an error occurs in the HTTP request stream, the corresponding busboy stream is never terminated.
This creates a situation where error conditions—whether caused by network interruptions, client disconnections, malformed requests, or intentional abuse—result in orphaned stream objects that remain in memory. Each failed request potentially leaves behind an unclosed stream, and over time, these accumulated resources can exhaust available memory and file descriptors.
Root Cause
The root cause is improper error handling in the stream management code. When the HTTP request stream emits an error event, the cleanup logic fails to propagate the closure to the internal busboy stream instance. This violates the fundamental Node.js stream contract that requires proper cleanup of resources when streams encounter errors or complete their lifecycle.
The fix implemented in version 2.0.0 ensures that when an error occurs on the request stream, all associated internal streams—including the busboy parser stream—are properly destroyed and their resources released.
Attack Vector
The attack vector for this vulnerability is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Initiating multiple file upload requests to an endpoint using Multer
- Intentionally causing errors during the upload process (e.g., abruptly terminating connections, sending malformed multipart data)
- Repeating this process to accumulate orphaned streams
- Eventually exhausting server memory or file descriptors
The vulnerability can be triggered through sustained low-volume attacks over time or through rapid burst attacks that quickly exhaust resources.
The vulnerability exists in how the request stream error events are handled. When an HTTP request stream encounters an error, the internal busboy stream should be closed to release resources. In vulnerable versions, this cleanup step is missing, allowing streams to accumulate. The fix in version 2.0.0 adds proper error propagation to ensure all associated streams are destroyed when the parent request encounters an error. For technical details, see the GitHub Security Advisory.
Detection Methods for CVE-2025-47935
Indicators of Compromise
- Gradual memory consumption increase on Node.js application servers over time
- Growing number of open file descriptors that never decrease
- Server unresponsiveness or crashes requiring manual restarts
- Out-of-memory errors in Node.js process logs
- Increased frequency of "EMFILE: too many open files" errors
Detection Strategies
- Monitor Node.js process memory usage (heap and RSS) for abnormal growth patterns
- Track open file descriptor counts using operating system utilities (lsof, /proc/<pid>/fd)
- Implement application-level logging for multipart upload errors and incomplete requests
- Review dependency versions to identify Multer installations below version 2.0.0
- Use software composition analysis (SCA) tools to scan for vulnerable dependencies
Monitoring Recommendations
- Configure alerts for Node.js process memory exceeding baseline thresholds
- Set up file descriptor monitoring with alerts when counts approach system limits
- Implement request timeout logging to identify patterns of failed uploads
- Monitor application restart frequency as an indicator of resource exhaustion events
- Enable verbose logging on file upload endpoints during investigation periods
How to Mitigate CVE-2025-47935
Immediate Actions Required
- Upgrade Multer to version 2.0.0 or later immediately
- Review all Node.js applications for Multer dependencies using npm ls multer or yarn why multer
- Update both direct and transitive dependencies that may include vulnerable Multer versions
- Implement process monitoring to detect and alert on resource exhaustion
- Consider implementing request rate limiting on file upload endpoints as a defense-in-depth measure
Patch Information
The vulnerability has been addressed in Multer version 2.0.0. Users should update their package.json to require this version or later:
The patch ensures proper cleanup of internal streams when HTTP request errors occur. Technical details of the fix can be found in GitHub Pull Request #1120 and the commit implementing the fix.
Workarounds
- No known workarounds are available according to the security advisory
- Upgrading to version 2.0.0 is the only confirmed remediation
- As a temporary defense-in-depth measure, implement aggressive request timeouts on upload endpoints
- Consider adding rate limiting to reduce the attack surface
- Monitor and restart affected services proactively if upgrade cannot be immediately performed
# Update Multer to patched version
npm update multer@^2.0.0
# Or using yarn
yarn upgrade multer@^2.0.0
# Verify installed version
npm ls multer
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
