multer @0.1.8
Middleware for handling `multipart/form-data`.
Maintainers
Keywords
Dependencies (4)
| Package | Constraint | Registry Status |
|---|---|---|
| qs | ~1.2.2 | auto_approved |
| busboy | ~0.2.9 | auto_approved |
| mkdirp | ~0.3.5 | auto_approved |
| type-is | ~1.5.2 | auto_approved |
Dev Dependencies (6)
| Package | Constraint | Registry Status |
|---|---|---|
| co | ^3.0.6 | auto_approved |
| chai | ^1.9.1 | auto_approved |
| mocha | * | auto_approved |
| rimraf | ^2.2.8 | auto_approved |
| express | * | auto_approved |
| supertest | ^0.13.0 | auto_approved |
Transitive Dependency Tree
Risk Dispositions (3 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-5528-5vmv-3xc2 |
osv | reject | AI | AI (osv): DoS via uncontrolled recursion; affects all versions < 2.1.1; fix available in 2.1.1. | |
osv:GHSA-v52c-386h-88mc |
osv | reject | AI | AI (osv): DoS via resource exhaustion on dropped connection; affects < 2.1.0; fix available in 2.1.0. | |
osv:GHSA-xf7r-hgr6-v32p |
osv | reject | AI | AI (osv): DoS via incomplete cleanup; affects < 2.1.0; fix available in 2.1.0. |
SAST Findings (5)
[Always reject] ### Impact A vulnerability in Multer versions < 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow. ### Patches Users should upgrade to `2.1.1` ### Workarounds None ### Resources - https://github.com/expressjs/multer/security/advisories/GHSA-5528-5vmv-3xc2 - https://www.cve.org/CVERecord?id=CVE-2026-3520 - https://github.com/expressjs/multer/commit/7e66481f8b2e6c54b982b34c152479e096ce2752 - https://cna.openjsf.org/security-advisories.html
[Always reject] ### Impact A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion. ### Patches Users should upgrade to `2.1.0` ### Workarounds None
[Always reject] ### Impact A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion. ### Patches Users should upgrade to `2.1.0` ### Workarounds None
CVSS 7.5 (HIGH) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ### Impact Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. ### Patches Users should upgrade to `2.0.0` ### Workarounds None ### References - https://github.com/expressjs/multer/pull/1120 - https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
Review Summary
Risk score: 100 (capped from 148). Findings: 3 critical (+120), 1 high (+25), 1 low (+3).
Commit: 58ee463ab42a Browse source
Published to npm: