Skip to content

Update dependency multer to v2 [SECURITY] - autoclosed#286

Closed
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-multer-vulnerability
Closed

Update dependency multer to v2 [SECURITY] - autoclosed#286
renovate[bot] wants to merge 1 commit intomainfrom
renovate/npm-multer-vulnerability

Conversation

@renovate
Copy link

@renovate renovate bot commented Nov 27, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
multer ^1.4.2^2.0.1 age confidence

GitHub Vulnerability Alerts

CVE-2025-48997

Impact

A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process.

Patches

Users should upgrade to 2.0.1

Workarounds

None

References

expressjs/multer@35a3272
https://github.com/expressjs/multer/issues/1233
https://github.com/expressjs/multer/pull/1256

Release Notes

expressjs/multer (multer)

v2.0.1

Compare Source

v2.0.0

Compare Source

v1.4.4

Compare Source

v1.4.3

Compare Source

  • Bugfix: Avoid deprecated pseudoRandomBytes function (#​774)
  • Docs: Add Português Brazil translation for README (#​758)
  • Docs: Clarify the callback calling convention (#​775)
  • Docs: Add example on how to link to html multipart form (#​580)
  • Docs: Add Spanish translation for README (#​838)
  • Docs: Add Math.random() to storage filename example (#​841)
  • Docs: Fix mistakes in russian doc (#​869)
  • Docs: Improve Português Brazil translation (#​877)
  • Docs: Update var to const in all Readmes (#​1024)
  • Internal: Bump mkdirp version (#​862)
  • Internal: Bump Standard version (#​878)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from astrowq November 27, 2025 10:38
@renovate renovate bot force-pushed the renovate/npm-multer-vulnerability branch 2 times, most recently from b08032b to 3a055d1 Compare December 3, 2025 21:11
@renovate renovate bot force-pushed the renovate/npm-multer-vulnerability branch 2 times, most recently from d7a502d to 6f7cee6 Compare December 31, 2025 22:04
@renovate renovate bot force-pushed the renovate/npm-multer-vulnerability branch 2 times, most recently from 7bbf469 to e5dbbb5 Compare January 8, 2026 23:39
@renovate renovate bot force-pushed the renovate/npm-multer-vulnerability branch 2 times, most recently from a5d30b6 to 610e7f8 Compare January 19, 2026 18:45
@renovate renovate bot force-pushed the renovate/npm-multer-vulnerability branch 2 times, most recently from da94dd4 to d78a669 Compare February 2, 2026 22:53
@renovate renovate bot force-pushed the renovate/npm-multer-vulnerability branch 3 times, most recently from d78dfaa to 421d468 Compare February 17, 2026 17:02
@renovate renovate bot force-pushed the renovate/npm-multer-vulnerability branch from 421d468 to da073e9 Compare February 18, 2026 00:04
@renovate renovate bot changed the title Update dependency multer to v2 [SECURITY] Update dependency multer to v2 [SECURITY] - autoclosed Feb 23, 2026
@renovate renovate bot closed this Feb 23, 2026
@renovate renovate bot deleted the renovate/npm-multer-vulnerability branch February 23, 2026 22:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@astrowq astrowq Awaiting requested review from astrowq

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants