{
  "threat_severity" : "Moderate",
  "public_date" : "2025-06-03T18:21:59Z",
  "bugzilla" : {
    "description" : "multer: Multer vulnerable to Denial of Service via unhandled exception",
    "id" : "2370084",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2370084"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-248",
  "details" : [ "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to `2.0.1` to receive a patch. No known workarounds are available.", "An unhandled exception flaw was found in multer. This issue allows an attacker to trigger an application level denial of service by sending an upload file request with an empty string field name, which triggers an exception in processing that is not properly handled. This issue will lead to a program crash." ],
  "statement" : "The denial of service impact is limited to the program that integrates multer. The host operating system is not affected.",
  "affected_release" : [ {
    "product_name" : "Red Hat Developer Hub 1.7",
    "release_date" : "2025-08-19T00:00:00Z",
    "advisory" : "RHSA-2025:14090",
    "cpe" : "cpe:/a:redhat:rhdh:1.7::el9",
    "package" : "rhdh/rhdh-hub-rhel9:sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "Red Hat Developer Hub",
    "fix_state" : "Not affected",
    "package_name" : "rhdh/rhdh-rhel9-operator",
    "cpe" : "cpe:/a:redhat:rhdh:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-48997\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-48997\nhttps://github.com/expressjs/multer/commit/35a3272b611945155e046dd5cef11088587635e9\nhttps://github.com/expressjs/multer/issues/1233\nhttps://github.com/expressjs/multer/pull/1256\nhttps://github.com/expressjs/multer/security/advisories/GHSA-g5hg-p3ph-g8qg" ],
  "name" : "CVE-2025-48997",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}