multer 1.4.5-lts.1 — What Changed, Why the Version String is Weird, and How to Update

April 1, 2026 · PackageFix · 5 min read

multer 1.4.5-lts.1 is confusing a lot of developers. The version string looks wrong. npm does not auto-update to it. Here is what happened, why the version is named this way, and the exact commands to update.

What happened with multer

multer 1.4.4 and below have CVE-2022-24434 — a denial of service vulnerability in multipart form parsing. A crafted HTTP request can cause multer to hang the Node.js event loop, effectively taking down your server.

The fix was released as version 1.4.5-lts.1. Not 1.4.5. Not 2.0.0. The unusual version string is causing confusion — developers see it and think it is not a real release, or their version managers skip it.

Why the version is called 1.4.5-lts.1

In semver, anything after a hyphen is a pre-release identifier. So 1.4.5-lts.1 is technically a pre-release of 1.4.5. This means npm install multer and npm update multer will NOT install it unless you ask explicitly — npm skips pre-release versions by default.

The maintainers used this naming to signal it was a security-focused LTS patch rather than a standard feature release. The intention was good but the side effect is that millions of projects are still running vulnerable versions because their package managers quietly skipped the update.

Why npm audit fix does not always work

If you run npm audit fix on a project with vulnerable multer, it may report "0 vulnerabilities fixed" even though the vulnerability exists. This is because npm treats 1.4.5-lts.1 as a pre-release and will not upgrade to it automatically via audit fix. You must update manually.

How to update - exact commands

# Check your current version
npm list multer

# Update to the safe version
npm install multer@1.4.5-lts.1

# Verify the update
npm list multer
# Should show: multer@1.4.5-lts.1

# Commit the lockfile
git add package.json package-lock.json
git commit -m "fix: update multer to 1.4.5-lts.1 (CVE-2022-24434)"

If multer is a transitive dependency

Some projects pull in multer indirectly through another package. If npm list multer shows it under another package (not directly under your project), you need an npm override:

// package.json
{
  "overrides": {
    "multer": "1.4.5-lts.1"
  }
}

Is multer 2.x coming?

multer 2.x is in development as of early 2026 but has not been officially released. For now, 1.4.5-lts.1 is the safe version to use. There are no known CVEs in 1.4.5-lts.1.

Paste your manifest — PackageFix scans every dependency against OSV and CISA KEV instantly.

Scan with PackageFix →

Free · No signup · No CLI · Runs in your browser

Common questions

Why is the version 1.4.5-lts.1 and not just 1.4.5?

multer 1.4.4 had a CRITICAL prototype pollution vulnerability (CVE-2022-24434). The maintainers released a patched version as 1.4.5-lts.1 rather than 1.4.5 to signal it was a long-term support security patch, not a feature release. The -lts.1 suffix is unconventional for npm but common in some ecosystems. It is a valid semver pre-release identifier.

Does npm update to 1.4.5-lts.1 automatically?

No - npm does not automatically install pre-release versions. If your package.json has "multer": "^1.4.4", npm will not upgrade to 1.4.5-lts.1 because pre-release versions are excluded from semver range matching by default. You must explicitly update: npm install multer@1.4.5-lts.1.

Is multer 2.x available?

multer 2.x is in development but has not been officially released as of early 2026. The current safe version is 1.4.5-lts.1. Check the multer GitHub repo for the latest status before deciding whether to wait for v2 or pin to 1.4.5-lts.1.

What is CVE-2022-24434?

CVE-2022-24434 is a denial of service vulnerability in multer's multipart form parsing. A crafted multipart request can cause multer to hang indefinitely, blocking the Node.js event loop and taking down the server. In Node.js's single-threaded model, a single malicious request can affect all concurrent users.

Does multer 1.4.5-lts.1 have any breaking changes from 1.4.4?

No - 1.4.5-lts.1 is a security patch only. The API is identical to 1.4.4. Updating requires no code changes - just the version number in package.json and a npm install.