{
  "threat_severity" : "Moderate",
  "public_date" : "2025-07-17T15:26:45Z",
  "bugzilla" : {
    "description" : "multer: Multer Denial of Service",
    "id" : "2381726",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2381726"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-248",
  "details" : [ "Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available.", "A denial of service vulnerability was found in the Multer NPM library. This vulnerability allows an attacker to trigger a denial of service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, resulting in a process crash." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Developer Hub 1.6",
    "release_date" : "2025-08-27T00:00:00Z",
    "advisory" : "RHSA-2025:14767",
    "cpe" : "cpe:/a:redhat:rhdh:1.6::el9",
    "package" : "rhdh/rhdh-hub-rhel9:sha256:48b72d96926999336505cbf097f873dd9ccb2dec814a5db7f7ffa630dea29dc5"
  }, {
    "product_name" : "Red Hat Developer Hub 1.7",
    "release_date" : "2025-08-19T00:00:00Z",
    "advisory" : "RHSA-2025:14090",
    "cpe" : "cpe:/a:redhat:rhdh:1.7::el9",
    "package" : "rhdh/rhdh-hub-rhel9:sha256:aa3c5b50c65aee51b932fafcbf479ce54f15496cffc2744860bd9e135cce815c"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Will not fix",
    "package_name" : "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "Red Hat Developer Hub",
    "fix_state" : "Not affected",
    "package_name" : "rhdh/rhdh-rhel9-operator",
    "cpe" : "cpe:/a:redhat:rhdh:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-7338\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-7338\nhttps://cna.openjsf.org/security-advisories.html\nhttps://github.com/expressjs/multer/commit/adfeaf669f0e7fe953eab191a762164a452d143b\nhttps://github.com/expressjs/multer/security/advisories/GHSA-fjgf-rc76-4x9p" ],
  "name" : "CVE-2025-7338",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}