cjolif
commented
6 years ago any update on this one?
Open BorisLeumi opened 6 years ago
cjolif
commented
6 years ago any update on this one?
mbiakov
commented
6 years ago +1
Hi, According to - https://github.com/expressjs/multer/issues/344 https://cwe.mitre.org/data/definitions/400.html
The multer package is vulnerable to Denial of Service (DOS). The file make-middleware.js and disk.js read all the bytes of an uploaded file before failing the upload due to the file being larger than the defined limit. A remote attacker can exploit this vulnerability by submitting a large file to be uploaded, making the server unresponsive to other requests resulting in a Denial of Service (DOS). It was fixed at 2.0.0+ versions.
Could you please change the dependency to "multer": "v2.0.0-alpha.6" ?
Best regards. Boris.