Vulnerability risk at multer npm dependency.

Question

Vulnerability risk at multer npm dependency.

Opened this issue 6 years ago · 2 comments

Hi,
According to - expressjs/multer#344
https://cwe.mitre.org/data/definitions/400.html

The multer package is vulnerable to Denial of Service (DOS). The file make-middleware.js and disk.js read all the bytes of an uploaded file before failing the upload due to the file being larger than the defined limit. A remote attacker can exploit this vulnerability by submitting a large file to be uploaded, making the server unresponsive to other requests resulting in a Denial of Service (DOS).
It was fixed at 2.0.0+ versions.

Could you please change the dependency to "multer": "v2.0.0-alpha.6" ?

Best regards.
Boris.

mbiakov commented 6 years ago

+1

👍1

Answer 1 · 2018-06-18T14:57:08.000Z

any update on this one?