CVE-2025-48997: 
JavaScript vulnerability analysis and mitigation

Multer, a node.js middleware for handling multipart/form-data, contains a vulnerability (CVE-2025-48997) that affects versions from 1.4.4-lts.1 to versions prior to 2.0.1. The vulnerability was discovered and disclosed on June 3, 2025, allowing attackers to trigger a Denial of Service (DoS) condition through an upload file request with an empty string field name (GitHub Advisory).

The vulnerability is classified as CWE-248 (Uncaught Exception) with a CVSS v4.0 score of 8.7 (HIGH) and CVSS v3.1 score of 5.3. The issue occurs when processing file uploads where a request contains an empty string field name, leading to an unhandled exception that causes the process to crash. The vulnerability specifically manifests in the file handling functionality of the middleware (NVD, Red Hat).

When exploited, this vulnerability results in a Denial of Service condition that affects the program integrating Multer. The impact is limited to the application process itself, with no direct effect on the host operating system. The DoS occurs through process termination when handling malformed upload requests (Red Hat).

Users are strongly advised to upgrade to Multer version 2.0.1, which contains the patch for this vulnerability. No alternative workarounds are available for this issue. The fix was implemented through a code change that properly handles missing field names (GitHub Commit).