CVE-2025-7338: Multer Node.js Middleware DoS Vulnerability

CVE-2025-7338 Overview

CVE-2025-7338 is a Denial of Service (DoS) vulnerability in Multer, a popular Node.js middleware for handling multipart/form-data. The vulnerability exists in versions starting from 1.4.4-lts.1 and prior to version 2.0.2, allowing attackers to crash the process by sending malformed multi-part upload requests that trigger unhandled exceptions.

Critical Impact

Attackers can crash Node.js applications using vulnerable Multer versions by sending specially crafted multipart upload requests, causing service disruption without requiring authentication.

Affected Products

• Multer versions >= 1.4.4-lts.1 and < 2.0.2
• Node.js applications using vulnerable Multer middleware
• Express.js applications with multipart form handling via Multer

Discovery Timeline

• 2025-07-17 - CVE-2025-7338 published to NVD
• 2025-07-17 - Last updated in NVD database

Technical Details for CVE-2025-7338

Vulnerability Analysis

This vulnerability stems from insufficient error handling within Multer's file stream processing logic (CWE-248: Uncaught Exception). When processing multipart form data, the middleware fails to properly handle certain error conditions in file streams, resulting in unhandled exceptions that crash the Node.js process.

The vulnerability is exploitable over the network without requiring authentication or user interaction. While the attack does not compromise confidentiality or integrity, it directly impacts availability by terminating the application process. Applications using Multer for file uploads in production environments are at risk of complete service disruption.

Root Cause

The root cause is inadequate error handling in the file stream processing within lib/make-middleware.js. Specifically, when a file stream encounters an error, the code path did not properly decrement pending write counters or gracefully abort the operation, leading to an unhandled exception that propagates up and crashes the process.

Attack Vector

An attacker can exploit this vulnerability by sending a malformed multipart upload request to any endpoint that uses Multer middleware. The attack requires no authentication and can be performed remotely over the network. When the malformed request triggers an error in the file stream processing, the unhandled exception causes the Node.js process to crash, resulting in denial of service for all users of the application.

The patch addresses this by adding proper error event handling on file streams:

// Security patch in lib/make-middleware.js - improve error handling
// Source: https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b

 
     // handle files
     busboy.on('file', function (fieldname, fileStream, { filename, encoding, mimeType }) {
+      var pendingWritesIncremented = false
+
+      fileStream.on('error', function (err) {
+        if (pendingWritesIncremented) {
+          pendingWrites.decrement()
+        }
+        abortWithError(err)
+      })
+
       if (fieldname == null) return abortWithCode('MISSING_FIELD_NAME')
 
       // don't attach to the files object, if there is no file

Source: GitHub Commit Details

Detection Methods for CVE-2025-7338

Indicators of Compromise

• Unexpected Node.js process crashes or restarts coinciding with incoming HTTP requests
• Application logs showing unhandled exceptions in Multer middleware or file stream processing
• Increased rate of multipart form-data requests, particularly malformed ones, preceding service outages
• Process monitoring alerts indicating repeated crashes of Node.js applications handling file uploads

Detection Strategies

• Monitor application logs for unhandled exceptions originating from lib/make-middleware.js or Multer-related code paths
• Implement request validation to detect and log malformed multipart requests before they reach Multer
• Use dependency scanning tools to identify applications running vulnerable Multer versions (>= 1.4.4-lts.1 and < 2.0.2)
• Deploy application performance monitoring (APM) to track process crashes and correlate with incoming request patterns

Monitoring Recommendations

• Set up process monitoring and automatic restart mechanisms (e.g., PM2, systemd) to minimize downtime from DoS attacks
• Configure rate limiting on file upload endpoints to mitigate high-volume attack attempts
• Implement alerting for unusual patterns in multipart request failures or process terminations
• Review web application firewall (WAF) logs for suspicious multipart request activity

How to Mitigate CVE-2025-7338

Immediate Actions Required

• Upgrade Multer to version 2.0.2 or later immediately to receive the security patch
• Audit all Node.js applications in your environment for vulnerable Multer versions
• Implement process managers with automatic restart capabilities to reduce downtime impact
• Consider temporarily disabling file upload functionality if immediate patching is not possible

Patch Information

The vulnerability has been patched in Multer version 2.0.2. Users should upgrade to this version or later to remediate the vulnerability. The fix adds proper error event handling to file streams, ensuring that exceptions are caught and processed gracefully rather than crashing the application.

For detailed patch information, see the GitHub Security Advisory GHSA-fjgf-rc76-4x9p and the security patch commit.

Workarounds

• No official workarounds are available for this vulnerability according to the security advisory
• Deploy load balancers with health checks to automatically route traffic away from crashed instances
• Implement robust process supervision to restart failed processes immediately
• Consider adding a reverse proxy layer with request validation to filter potentially malicious multipart requests

# Upgrade Multer to patched version
npm update multer@2.0.2

# Or install specifically
npm install multer@^2.0.2

# Verify installed version
npm list multer