CVE-2025-48997

{"id": "CVE-2025-48997", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-03T19:15:39.577", "references": [{"url": "https://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9", "source": "security-advisories@github.com"}, {"url": "https://github.com/expressjs/multer/issues/1233", "source": "security-advisories@github.com"}, {"url": "https://github.com/expressjs/multer/pull/1256", "source": "security-advisories@github.com"}, {"url": "https://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-248"}]}], "descriptions": [{"lang": "en", "value": "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available."}, {"lang": "es", "value": "Multer es un middleware de Node.js para gestionar `multipart/form-data`. Una vulnerabilidad presente a partir de la versi\u00f3n 1.4.4-lts.1 y anteriores a la 2.0.1 permite a un atacante activar una denegaci\u00f3n de servicio (DoS) al enviar una solicitud de carga de archivo con un nombre de campo de cadena vac\u00edo. Esta solicitud provoca una excepci\u00f3n no controlada, lo que provoca un bloqueo del proceso. Los usuarios deben actualizar a la versi\u00f3n 2.0.1 para recibir un parche. No se conocen workarounds."}], "lastModified": "2025-06-04T14:54:33.783", "sourceIdentifier": "security-advisories@github.com"}