multer 1.4.5-lts.1 is now vulnerable. CVE-2025-47944 (HIGH, CVSS 7.5) affects all multer versions >=1.4.4-lts.1 and <2.0.0. The only fix is upgrading to multer@2.1.1. No workarounds exist.
multer Version Security Status
Last updated April 1, 2026. Check your version: npm list multer
| Version | Status | CVEs | Notes |
|---|---|---|---|
| 2.1.1+ | SAFE | None | Current safe version. Requires Node.js 10.16+. Has breaking changes from 1.x. |
| 2.0.x | VULNERABLE | CVE-2026-3520 | Fixes 2025 CVEs but vulnerable to CVE-2026-3520 (CVSS 8.7). Upgrade to 2.1.1. |
| 1.4.5-lts.1 | VULNERABLE | CVE-2025-47944, CVE-2022-24434 | Previously recommended as safe for CVE-2022-24434 — now itself vulnerable. Upgrade to 2.1.1. |
| 1.4.4 and below | VULNERABLE | CVE-2022-24434 + more | Multiple CVEs. Upgrade to 2.1.1 immediately. |
How to upgrade: 1.x → 2.x
npm install multer@2.1.1
- Requires Node.js 10.16.0 or later
fileFiltercallback signature changed — check the multer 2.x docs- Some multer plugins (multer-gridfs-storage, multer-s3) may need updates to support 2.x — check their GitHub for 2.x compatibility
- Error handling changed — test your upload error paths
multer 2.1.1 is the patched version that fixes DoS via uncontrolled recursion (CVE-2026-3520). multer 2.0.x is also vulnerable. The only safe version is multer@2.1.1 or later.
Fix multer — CVE-2022-24434 HIGH
Last updated: April 1, 2026 · multer 1.4.5-lts.1 exists on npm but is vulnerable · Safe version: 2.1.1 · Data: OSV Database
Fix CVE-2022-24434 (HIGH) in multer for npm. Paste your package.json into PackageFix and get a patched version — no CLI, no signup. Denial of service via crafted multipart request.
CVE-2022-24434 (HIGH) — denial of service via crafted multipart request in multer versions below 1.4.5-lts.1.
Vulnerable Version — package.json
"multer": "1.4.4"
Fixed Version — package.json
"multer": "1.4.5-lts.1"
Update multer to 1.4.5-lts.1 or later. Run npm install to apply. Verify with your ecosystem's audit tool after updating.
Why does npm say multer 1.4.5-lts.1 exists?
multer 1.4.5-lts.1 is a real published version on npm — it does exist.
The confusing -lts.1 suffix caused widespread confusion because
npm treats it as a pre-release, not a stable release.
What happened:
- multer 1.4.4 had CVE-2022-24434 (DoS via crafted multipart request)
- Maintainers released a patch as 1.4.5-lts.1 — a pre-release semver string
- The
-lts.1suffix means npm treats it as pre-release npm install multerandnpm audit fixskip it silently- Millions of projects stayed on vulnerable versions without knowing
Even if you installed 1.4.5-lts.1, it is now itself vulnerable to CVE-2025-47944 and CVE-2026-3520. The only safe version is multer@2.1.1 — there is no safe 1.x version.
# Check what version you have npm list multer # Install the safe version (npm will NOT auto-upgrade to this) npm install multer@2.1.1 # Verify npm list multer # Should show: multer@2.1.1
Which packages use multer?
multer is sometimes a transitive dependency. Check if any of these are in your project:
| Package | Downloads | Why |
|---|---|---|
nestjs/platform-express | varies | NestJS file upload modules depend on multer |
express-fileupload | varies | Some versions wrap multer internally |
multer-s3 | varies | S3 storage engine — requires multer as peer dependency |
multer-gridfs-storage | varies | GridFS storage engine — check 2.x compatibility |
If multer is transitive in your project:
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub connection · Runs 100% in your browser
CVE Details
| Field | Value |
|---|---|
| CVE ID | CVE-2022-24434 |
| Severity | HIGH |
| Package | multer (npm) |
| Vulnerable versions | Below 1.4.5-lts.1 |
| Safe version | 1.4.5-lts.1 |
| CISA KEV | — |
| Description | Denial of service via crafted multipart request |