Multer Denial-of-Service Vulnerability via Malformed Multipart Requests

A denial-of-service vulnerability has been identified in Multer, a Node.js middleware for handling multipart form data. This issue affects versions 1.4.4-lts.1 and prior to 2.0.0. The vulnerability arises when an attacker sends a malformed multipart upload request, which triggers an unhandled exception and crashes the process. This issue has been reported to affect Node.js applications using Express, particularly those handling file uploads.

Impact

Exploitation of this vulnerability leads to an unhandled error event that can crash the entire Node.js application, disrupting service and potentially causing a denial-of-service condition for users.

Reproduction

The vulnerability can be reproduced by sending a malformed multipart form-data request that omits the closing boundary. This can be done using a tool like curl or by crafting a request in a Node.js application. The missing boundary causes 'busboy', the underlying parser used by Multer, to emit an error that is not properly handled, leading to a crash.

Remediation

Users are advised to upgrade Multer to version 2.0.0, which addresses the vulnerability by properly handling error events from 'busboy' before they can cause a crash.