Skip to content

fix(deps): update dependency multer to v2 [security]#46

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-multer-vulnerability
Open

fix(deps): update dependency multer to v2 [security]#46
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-multer-vulnerability

Conversation

@renovate
Copy link
Copy Markdown

@renovate renovate Bot commented Mar 3, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
multer ^1.4.2^2.1.1 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Multer vulnerable to Denial of Service via resource exhaustion

CVE-2026-2359 / GHSA-v52c-386h-88mc

More information

Details

Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion.

Patches

Users should upgrade to 2.1.0

Workarounds

None

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Multer vulnerable to Denial of Service via incomplete cleanup

CVE-2026-3304 / GHSA-xf7r-hgr6-v32p

More information

Details

Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion.

Patches

Users should upgrade to 2.1.0

Workarounds

None

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Multer Vulnerable to Denial of Service via Uncontrolled Recursion

CVE-2026-3520 / GHSA-5528-5vmv-3xc2

More information

Details

Impact

A vulnerability in Multer versions < 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow.

Patches

Users should upgrade to 2.1.1

Workarounds

None

Resources

Severity

  • CVSS Score: 8.7 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

expressjs/multer (multer)

v2.1.1

Compare Source

v2.1.0

Compare Source

v2.0.2

Compare Source

v2.0.1

Compare Source

v2.0.0

Compare Source

v1.4.4

Compare Source

v1.4.3

Compare Source

  • Bugfix: Avoid deprecated pseudoRandomBytes function (#​774)
  • Docs: Add Português Brazil translation for README (#​758)
  • Docs: Clarify the callback calling convention (#​775)
  • Docs: Add example on how to link to html multipart form (#​580)
  • Docs: Add Spanish translation for README (#​838)
  • Docs: Add Math.random() to storage filename example (#​841)
  • Docs: Fix mistakes in russian doc (#​869)
  • Docs: Improve Português Brazil translation (#​877)
  • Docs: Update var to const in all Readmes (#​1024)
  • Internal: Bump mkdirp version (#​862)
  • Internal: Bump Standard version (#​878)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-multer-vulnerability branch 3 times, most recently from 8a42a0b to d7adc25 Compare March 5, 2026 23:36
@renovate renovate Bot force-pushed the renovate/npm-multer-vulnerability branch 2 times, most recently from b6721a4 to 6325a7b Compare March 13, 2026 20:07
@renovate renovate Bot force-pushed the renovate/npm-multer-vulnerability branch 2 times, most recently from 0729840 to 8ea3c7f Compare March 26, 2026 20:46
@renovate renovate Bot changed the title fix(deps): update dependency multer to v2 [security] fix(deps): update dependency multer to v2 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-multer-vulnerability branch March 27, 2026 00:58
@renovate renovate Bot changed the title fix(deps): update dependency multer to v2 [security] - autoclosed fix(deps): update dependency multer to v2 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-multer-vulnerability branch 4 times, most recently from 7f3c734 to 0547918 Compare April 1, 2026 23:51
@renovate renovate Bot force-pushed the renovate/npm-multer-vulnerability branch 3 times, most recently from 2929022 to bc55ee8 Compare April 15, 2026 10:11
@renovate renovate Bot force-pushed the renovate/npm-multer-vulnerability branch 7 times, most recently from f889b34 to 913cfa8 Compare April 22, 2026 01:48
@renovate renovate Bot force-pushed the renovate/npm-multer-vulnerability branch from 913cfa8 to 4780611 Compare April 23, 2026 11:17
@renovate renovate Bot force-pushed the renovate/npm-multer-vulnerability branch from 4780611 to 599e959 Compare April 23, 2026 13:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants