Skip to content

Dependency vulnerabilities in v5.1.0 (form-data, multer) #683

Description

@DrunkenHusky

Dependency vulnerabilities in v5.1.0 (form-data, multer)

Hi team,

An audit of the latest v5.1.0 release shows unpatched security vulnerabilities originating from the form-data and multer dependencies.

Here are the details and the required updates to resolve them:

Vulnerability Details

1. form-data

  • CVE: CVE-2026-12143
  • Fix: Bump form-data to version 2.5.6, 3.0.5, 4.0.6, or higher.

2. multer

  • CVEs: CVE-2026-3304, CVE-2026-2359, CVE-2026-3520, CVE-2025-48997, CVE-2025-7338, CVE-2025-47935, CVE-2025-47944, CVE-2026-5079
  • Fix: Bump multer to version 2.2.0, 3.0.0-alpha.2, or higher.

Suggested Action

Could you bump these dependencies in the package.json / package-lock.json for an upcoming patch release? Let me know if you would accept a PR for this.

Thanks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions