advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

Advisory GHSA-4pg4-qvpc-4q3h lists incorrect fixed version

Open MikeKoval opened this issue 5 months ago • 1 comments

I have noticed an issue with the details provided in the advisory GHSA-4pg4-qvpc-4q3h regarding the fixed version.

Look, this pr to fix vulnerability https://github.com/expressjs/multer/pull/1177 is present in both v1.4.5-lts.2 and v2.0.0:

https://github.com/expressjs/multer/commits/v1.4.5-lts.2 https://github.com/expressjs/multer/commits/v2.0.0

So i think v1.4.5-lts.2 is not affected, also npm audit does not complain about it.

Could you please review and update the advisory to reflect the correct information? Thank you.

MikeKoval avatar Jul 23 '25 12:07 MikeKoval

Hi @MikeKoval,

Sorry for the slow response and thank you for the contribution!

It looks like v1.4.5-lts.2 only received a partial fix. v1.4.5-lts.2 received https://github.com/expressjs/multer/commit/a4be1d56b7f1b373389da074ac3e9b929449d98a. However, it was later noticed that the fix missed some cases so 2.0.0 was released with the complete fix. This is likely why the maintainer says the fixed version is 2.0.0.

If you think it would be helpful, we could include a note in the description explaining that v1.4.5-lts.2 only contains a partial fix.

JonathanLEvans avatar Aug 14 '25 21:08 JonathanLEvans