🚨 [security] Update multer 2.0.0 → 2.1.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ multer (2.0.0 → 2.1.1) · Repo · Changelog

Security Advisories 🚨

🚨 Multer Vulnerable to Denial of Service via Uncontrolled Recursion

Impact

A vulnerability in Multer versions < 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow.

Patches

Users should upgrade to 2.1.1

Workarounds

None

Resources

• GHSA-5528-5vmv-3xc2
• https://www.cve.org/CVERecord?id=CVE-2026-3520
• 7e66481
• https://cna.openjsf.org/security-advisories.html

🚨 Multer vulnerable to Denial of Service via incomplete cleanup

Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion.

Patches

Users should upgrade to 2.1.0

Workarounds

None

🚨 Multer vulnerable to Denial of Service via resource exhaustion

Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion.

Patches

Users should upgrade to 2.1.0

Workarounds

None

🚨 Multer vulnerable to Denial of Service via unhandled exception from malformed request

Impact

A vulnerability in Multer versions >= 1.4.4-lts.1, < 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed request. This request causes an unhandled exception, leading to a crash of the process.

Patches

Users should upgrade to 2.0.2

Workarounds

None

🚨 Multer vulnerable to Denial of Service via unhandled exception

Impact

A vulnerability in Multer versions >=1.4.4-lts.1, <2.0.1 allows an attacker to trigger a Denial of Service (DoS) by sending an upload file request with an empty string field name. This request causes an unhandled exception, leading to a crash of the process.

Patches

Users should upgrade to 2.0.1

Workarounds

None

References

35a3272
#1233
#1256

Release Notes

2.1.0

Important

• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

What's Changed

• chore: add funding to package.json by @bjohansebas in #1346
• chore: drop mkdirp dependency by @wojtekmaj in #1350
• chore: drop object-assign dependency by @wojtekmaj in #1351
• chore: drop xtend dependency by @wojtekmaj in #1352
• chore(gitignore): ignore .nyc_output directory by @ShubhamOulkar in #1332
• Fix typo in README-vi.md regarding file upload by @Kunniii in #1366
• Fix typo in README-pt-br.md for array method by @matheushbm192 in #1367
• headers-support-utf8 by @Doc999tor in #1210
• Add Turkish translation (README-tr.md) by @Sabandogan in #1360
• Release: 2.1.0 by @UlisesGascon in #1371

New Contributors

• @wojtekmaj made their first contribution in #1350
• @ShubhamOulkar made their first contribution in #1332
• @Kunniii made their first contribution in #1366
• @matheushbm192 made their first contribution in #1367
• @Doc999tor made their first contribution in #1210
• @Sabandogan made their first contribution in #1360

Full Changelog: v2.0.2...v2.1.0

2.0.2

Important

• Fix CVE-2025-7338 (GHSA-fjgf-rc76-4x9p)

Full Changelog: v2.0.1...v2.0.2

2.0.1

Important

• Fix CVE-2025-48997 (GHSA-g5hg-p3ph-g8qg)

What's Changed

• add Arabic translation for README .. by @3imed-jaberi in #762
• Update README.md to fix issue #1114 by @Mohamed-Abdelfattah in #1169
• Improved documentation translation to Spanish by @juliomontenegro in #1174
• Translated to french by @AlanLg in #1182
• Improve the Brazilian Portuguese translation by @vitorRibeiro7 in #1204
• doc: uzbek language by @eugene0928 in #1232
• Fix a mistake with README-pt-br.md by @Igor-CA in #1251
• Update in Readme-pt-br and fix in Readme-ko by @carlosstenzel in #1252
• chore: add support for OSSF scorecard reporting by @inigomarquinez in #1260
• ci: replace travis with github action by @inigomarquinez in #1259
• docs: improve readability by @Sreejit-Sengupto in #1255
• test: add test for out-of-band error event by @LinusU in #1294
• chore: upgrade scorecard workflow pinned action versions by @carpasse in #1290
• Documentation: remove unfortunate abbreviation from readme by @MaddyGuthridge in #1299
• ci: use ubuntu-latest as default runner by @UlisesGascon in #1308
• ci: add CodeQL (SAST) by @bjohansebas in #1289
• Update readme badges by @bjohansebas in #1268
• 📝 fix changelog information by @ctcpip in #1316
• master -> v2 by @ctcpip in #1317
• chore: fix typo by @saucecodee in #993
• Remove --save from README by @username1001 in #929
• feat - update link badge in docs by @carlosstenzel in #1273
• ci: change branch reference by @UlisesGascon in #1319
• ♻️ use version tag for CI, fix CI badge, fix references to master/main by @ctcpip in #1324
• deps: update dependencies to latest versions by @bjohansebas in #1328
• 📝 list languages in table to prevent GH right-aligning list due to RTL language by @ctcpip in #1325
• [StepSecurity] Apply security best practices by @step-security-bot in #1311

New Contributors

• @3imed-jaberi made their first contribution in #762
• @Mohamed-Abdelfattah made their first contribution in #1169
• @juliomontenegro made their first contribution in #1174
• @AlanLg made their first contribution in #1182
• @vitorRibeiro7 made their first contribution in #1204
• @eugene0928 made their first contribution in #1232
• @Igor-CA made their first contribution in #1251
• @inigomarquinez made their first contribution in #1260
• @Sreejit-Sengupto made their first contribution in #1255
• @carpasse made their first contribution in #1290
• @MaddyGuthridge made their first contribution in #1299
• @saucecodee made their first contribution in #993
• @username1001 made their first contribution in #929
• @step-security-bot made their first contribution in #1311

Full Changelog: v2.0.0...v.2.0.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

• 2.1.1 (#1380)
• 🐛 fix recursion issue
• ✅ add explicit test for client able to send body without abrupt disconnect
• fix error/abort handling
• chore(deps): bump actions/checkout from 4.1.1 to 6.0.2 (#1374)
• chore(deps): bump actions/upload-artifact from 4.5.0 to 7.0.0 (#1375)
• chore(deps): bump github/codeql-action from 3.24.7 to 4.32.4 (#1376)
• chore(deps): bump coverallsapp/github-action from 1.2.5 to 2.3.6 (#1377)
• chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 (#1378)
• chore: add node version to 25.x in CI
• 2.1.0 (#1371)
• 🔒 fix orphaned files issue
• 🔒️ improve disconnect handling
• docs: add Turkish translation (README-tr.md) (#1360)
• feat: add defParamCharset option for UTF-8 filename support (#1210)
• docs: improve readability in README-pt-br.md for array method (#1367)
• docs: improve readability (#1366)
• fix: add `.nyc_output` to `.gitignore` (#1332)
• chore: drop xtend dependency (#1352)
• chore: drop object-assign dependency (#1351)
• chore: drop mkdirp dependency (#1350)
• chore: add funding to package.json (#1346)
• 🔖 2.0.2
• 🥅 improve error handling
• 🔖 2.0.1
• Fixes https://github.com/expressjs/multer/issues/1233. Makes multer handle missing field names.
• ci: apply security best practices (#1311)
• 📝 list languages in table to prevent GH right-aligning list due to RTL language
• deps: update dependencies to latest versions (#1328)
• ♻️ use version tag for CI, fix CI badge, fix references to master/main
• 📝 fix badges in translation files (#1321)
• ci: change branch reference
• ci: change branch reference
• docs: update badge links in docs (#1273)
• docs: remove reference to `--save` npm flag (#929)
• chore: fix typo (#993)
• Merge pull request #1317 from expressjs/master-v2-merge-fix
• Merge branch 'master' into v2
• 📝 fix changelog information (#1316)

↗️ concat-stream (indirect, 1.6.2 → 2.0.0) · Repo

Commits

See the full diff on Github. The new version differs by 2 commits:

• 2.0.0
• readable-stream@3.0.2 (#61)

↗️ readable-stream (indirect, 2.3.8 → 3.6.2) · Repo

Release Notes

3.6.2

What's Changed

• Fix es5 compatibility by @mcollina in #508

Full Changelog: v3.6.1...v3.6.2

3.6.0

• Fix babel loose mode for classes and update to Node v10.19.0 #428 by @ljharb

3.5.0

• Update to Node v10.18.1 #420

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ string_decoder (indirect, 1.1.1 → 1.3.0) · Repo

Commits

See the full diff on Github. The new version differs by 8 commits:

• Bumped v1.3.0.
• Merge pull request #15 from feross/patch-1
• safe-buffer@~5.2.0
• Bumped v1.2.0.
• Merge pull request #12 from nodejs/use-npm-legacy-node-4
• Use npm legacy in node 4
• Merge pull request #11 from fabiosantoscode/patch-1
• Update package.json

🗑️ isarray (removed)

🗑️ minimist (removed)

🗑️ mkdirp (removed)

🗑️ object-assign (removed)

🗑️ process-nextick-args (removed)

🗑️ xtend (removed)

🗑️ core-util-is (removed)

🗑️ safe-buffer (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[netlify]

✅ Deploy Preview for colorflux ready!

Name	Link
🔨 Latest commit	6a5fd94
🔍 Latest deploy log	https://app.netlify.com/projects/colorflux/deploys/69a8e4f05f780b0008f3786b
😎 Deploy Preview	https://deploy-preview-16--colorflux.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.