July 2025 Security Releases
The Express team has released a new patch version of Multer addressing a high-severity security vulnerability, and a new minor version of on-headers addressing a low-severity security vulnerability.
Warning
We recommend upgrading to the latest version of Multer and On-headers immediately to secure your applications.
The following vulnerabilities have been addressed:
- High severity vulnerability CVE-2025-7338 in Multer middleware
- Low severity vulnerability CVE-2025-7339 in On-header middleware
High severity vulnerability CVE-2025-7338 in Multer middleware
Multer versions >=1.4.4-lts.1
and <2.0.2
are vulnerable to denial of service via unhandled exception from malformed request.
This request causes an unhandled exception, leading to a crash of the process.
Affected versions: >=1.4.4-lts.1, <2.0.2
Patched version: 2.0.2
For more details, see GHSA-fjgf-rc76-4x9p.
Low severity vulnerability CVE-2025-7339 in On-header middleware
On-headers versions <1.1.0
is vulnerable to http response header manipulation
A bug in on-headers versions <1.1.0
may result in response headers being inadvertently modified when an array is passed to response.writeHead()
Affected versions: <1.1.0
Patched version: 1.1.0
For more details, see GHSA-76c9-3jph-rj3q.
We recommend upgrading to the latest version of Multer and On-headers immediately to secure your applications.
Edit this page