CVE-2025-47935: 
JavaScript vulnerability analysis and mitigation

Multer, a popular Node.js middleware for handling multipart/form-data with over 26.3 million monthly downloads, contains a critical vulnerability (CVE-2025-47935) affecting all versions prior to 2.0.0. The vulnerability was disclosed on May 19, 2025, and primarily impacts applications using Multer for file upload functionality (Wiz, Security Advisory).

The vulnerability stems from improper stream handling in Multer's implementation. When an HTTP request stream emits an error, the internal 'busboy' stream is not properly closed, which violates Node.js stream safety guidance. This technical oversight has been assigned a CVSS v3.1 score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime) (Security Advisory).

The vulnerability leads to unclosed streams accumulating over time, resulting in resource exhaustion through memory and file descriptor consumption. Under sustained or repeated failure conditions, this can cause denial of service (DoS) that requires manual server restarts to recover. Given Multer's widespread use with over 26.3 million monthly downloads, the potential impact is significant (Wiz).

The vulnerability has been patched in Multer version 2.0.0. Users are strongly advised to upgrade to this version as no alternative workarounds are available. The fix includes proper handling of stream closure when errors occur (Security Advisory, GitHub Commit).

The vulnerability has garnered significant attention from the developer community, with multiple developers expressing concerns about the severity of the memory leak issues. Prior to the fix, developers reported having to restart their servers daily due to thousands of unclosed streams, highlighting the operational impact of this vulnerability (GitHub PR).