Multer Denial-of-Service Vulnerability via Resource Exhaustion
Vulnerability
A denial-of-service vulnerability has been identified in Multer, a Node.js middleware for handling multipart/form-data, in versions prior to 2.1.0. The issue allows an attacker to cause resource exhaustion by dropping the connection during file uploads, leading to potential service disruption. Users are advised to upgrade to version 2.1.0, which includes a patch for this vulnerability. No workarounds are available.
Impact
Exploitation of this vulnerability can cause a denial-of-service condition, where the application becomes unresponsive or unavailable, due to resource exhaustion.
Reproduction
The vulnerability can be reproduced by uploading a file through a multipart form-data request and abruptly terminating the connection before the upload is complete. This can be done using a network socket that connects to the server, sends a partial upload, and then closes the connection, simulating an interrupted file transfer.
Remediation
Users should upgrade to Multer version 2.1.0 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.