swagger-tools icon indicating copy to clipboard operation
swagger-tools copied to clipboard

Published 20 hours ago verified publisher icon apigee-127

Vulnerability risk at multer npm dependency.

Open BorisLeumi opened this issue 6 years ago • 2 comments

Hi, According to - https://github.com/expressjs/multer/issues/344 https://cwe.mitre.org/data/definitions/400.html

The multer package is vulnerable to Denial of Service (DOS). The file make-middleware.js and disk.js read all the bytes of an uploaded file before failing the upload due to the file being larger than the defined limit. A remote attacker can exploit this vulnerability by submitting a large file to be uploaded, making the server unresponsive to other requests resulting in a Denial of Service (DOS). It was fixed at 2.0.0+ versions.

Could you please change the dependency to "multer": "v2.0.0-alpha.6" ?

Best regards. Boris.

BorisLeumi avatar May 30 '18 16:05 BorisLeumi

any update on this one?

cjolif avatar Jun 18 '18 14:06 cjolif

+1

mbiakov avatar Jun 28 '18 08:06 mbiakov