Multer Denial-of-Service Vulnerability via Malformed Multipart Requests
Vulnerability
A denial-of-service vulnerability has been identified in Multer, a Node.js middleware for handling multipart form data. This issue affects Multer versions 1.4.4-lts.1 through 2.0.2. The vulnerability arises when an attacker sends a malformed multipart upload request, which triggers an unhandled exception and crashes the process. Users are advised to upgrade to version 2.0.2, the first version that includes a patch for this vulnerability. No known workarounds are available.
Impact
Exploitation of this vulnerability leads to a process crash, causing a denial-of-service condition.
Reproduction
The vulnerability can be reproduced by sending a multipart upload request with a malformed structure, particularly one that includes a bad boundary. This can be done using an HTTP client that allows for the manipulation of multipart form data, such as Postman or a custom script. The server should be set up to use Multer for handling file uploads.
Remediation
Users should upgrade to Multer version 2.0.2.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.