{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-7338", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "state": "PUBLISHED", "assignerShortName": "openjs", "dateReserved": "2025-07-07T20:01:12.534Z", "datePublished": "2025-07-17T15:26:45.427Z", "dateUpdated": "2025-07-17T16:48:43.154Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "multer", "vendor": "expressjs", "versions": [{"lessThan": "2.0.2", "status": "affected", "version": "1.4.4-lts.1", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available."}], "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-248", "description": "CWE-248", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2025-07-17T15:26:45.427Z"}, "references": [{"url": "https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p"}, {"url": "https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "source": {"discovery": "UNKNOWN"}, "title": "Multer vulnerable to Denial of Service via unhandled exception from malformed request", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-17T16:48:34.245218Z", "id": "CVE-2025-7338", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-17T16:48:43.154Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7338", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-17T16:48:34.245218Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-17T16:48:38.891Z"}}], "cna": {"title": "Multer vulnerable to Denial of Service via unhandled exception from malformed request", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "expressjs", "product": "multer", "versions": [{"status": "affected", "version": "1.4.4-lts.1", "lessThan": "2.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p"}, {"url": "https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b"}, {"url": "https://cna.openjsf.org/security-advisories.html"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available.", "supportingMedia": [{"type": "text/html", "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-248", "description": "CWE-248"}]}], "providerMetadata": {"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "shortName": "openjs", "dateUpdated": "2025-07-17T15:26:45.427Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7338", "state": "PUBLISHED", "dateUpdated": "2025-07-17T16:48:43.154Z", "dateReserved": "2025-07-07T20:01:12.534Z", "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb", "datePublished": "2025-07-17T15:26:45.427Z", "assignerShortName": "openjs"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available."}, {"lang": "es", "value": "Multer es un middleware de Node.js para gestionar `multipart/form-data`. Una vulnerabilidad presente a partir de la versi\u00f3n 1.4.4-lts.1 y anteriores a la 2.0.2 permite a un atacante activar una denegaci\u00f3n de servicio (DoS) mediante el env\u00edo de una solicitud de carga multiparte malformada. Esta solicitud provoca una excepci\u00f3n no controlada, lo que provoca un bloqueo del proceso. Los usuarios deben actualizar a la versi\u00f3n 2.0.2 para recibir un parche. No se conocen soluciones alternativas."}], "id": "CVE-2025-7338", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}, "published": "2025-07-17T16:15:35.227", "references": [{"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://cna.openjsf.org/security-advisories.html"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b"}, {"source": "ce714d77-add3-4f53-aff5-83d477b104bb", "url": "https://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p"}], "sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-248"}], "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary"}]}

{"bugzilla": {"description": "multer: Multer Denial of Service", "id": "2381726", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2381726"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-248", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-7338", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Fix deferred", "package_name": "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-rhel9-operator", "product_name": "Red Hat Developer Hub"}], "public_date": "2025-07-17T15:26:45Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-7338\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-7338\nhttps://cna.openjsf.org/security-advisories.html\nhttps://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b\nhttps://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p"], "threat_severity": "Moderate"}

{}