CVE-2025-48997: 
JavaScript vulnerability analysis and mitigation

Multer, a node.js middleware for handling multipart/form-data, contains a vulnerability (CVE-2025-48997) that affects versions from 1.4.4-lts.1 to versions prior to 2.0.1. The vulnerability was discovered and disclosed on June 3, 2025, allowing attackers to trigger a Denial of Service (DoS) condition through an upload file request with an empty string field name (GitHub Advisory).

The vulnerability is classified as CWE-248 (Uncaught Exception) with a CVSS v4.0 score of 8.7 (HIGH). The issue occurs when processing file uploads where a request contains an empty string field name, leading to an unhandled exception that causes the process to crash. When a file upload request is made with an empty field name, the application fails to handle the exception properly, resulting in a TypeError related to undefined property access (NVD, GitHub Issue).

When exploited, this vulnerability results in a Denial of Service condition that affects the program integrating Multer. The impact is limited to the application process itself, with no direct effect on the host operating system. The DoS occurs through process termination when handling malformed upload requests (GitHub Advisory).

Users are strongly advised to upgrade to Multer version 2.0.1, which contains the patch for this vulnerability. No alternative workarounds are available for this issue. The fix was implemented through a code change that properly handles missing field names (GitHub Commit).