July 2025 Security Releases

31 Jul 2025

The Express team has released a new patch version of Multer addressing a high-severity security vulnerability, and a new minor version of on-headers addressing a low-severity security vulnerability.

Warning

We recommend upgrading to the latest version of Multer and On-headers immediately to secure your applications.

The following vulnerabilities have been addressed:

High severity vulnerability CVE-2025-7338 in Multer middleware

Multer versions >=1.4.4-lts.1 and <2.0.2 are vulnerable to denial of service via unhandled exception from malformed request.

This request causes an unhandled exception, leading to a crash of the process.

Affected versions: >=1.4.4-lts.1, <2.0.2
Patched version: 2.0.2

For more details, see GHSA-fjgf-rc76-4x9p.

Low severity vulnerability CVE-2025-7339 in On-header middleware

On-headers versions <1.1.0 is vulnerable to http response header manipulation

A bug in on-headers versions <1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead()

Affected versions: <1.1.0
Patched version: 1.1.0

For more details, see GHSA-76c9-3jph-rj3q.


We recommend upgrading to the latest version of Multer and On-headers immediately to secure your applications.

Edit this page