Multer Resource Exhaustion and Memory Leak Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Multer, a Node.js middleware for handling multipart form data, prior to version 2.0.0. The issue arises from improper stream management, where the internal 'busboy' stream is not closed when the HTTP request stream encounters an error. This oversight creates a memory leak as unclosed streams accumulate over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can lead to a denial-of-service situation, requiring manual server restarts to recover. All users of Multer who handle file uploads are potentially affected.

Impact

The vulnerability causes a memory leak and resource exhaustion, leading to a denial-of-service condition where the server becomes unresponsive and requires a manual restart.

Reproduction

The vulnerability can be reproduced by uploading files with Multer in a version prior to 2.0.0, and causing the upload to fail in a way that generates an error in the request stream. This can be done by sending a malformed multipart request that busboy, the underlying parser used by Multer, cannot process correctly. The error handling in the current version will not close the busboy stream, leading to an accumulation of open streams that consume server resources.

Remediation

Users should upgrade to Multer version 2.0.0 or later, where this vulnerability has been patched.