#VU111105 Memory leak in multer - CVE-2025-47935

Cybersecurity Help s.r.o.

Published: 2025-06-12

Vulnerability identifier: #VU111105

Vulnerability risk: High

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-47935

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
multer
Other software / Other software solutions

Vendor: Express.js

Description
The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. A remote attacker can force the application to leak memory and perform denial of service attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

multer: 1.0.0 - 1.4.5.2

External links
https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665
https://github.com/expressjs/multer/pull/1120
https://github.com/expressjs/multer/security/advisories/GHSA-44fp-w29j-9vj5

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM App Connect Enterprise

Multiple vulnerabilities in IBM Security QRadar EDR

Memory leak in expressjs multer