Update dependency multer to v2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
multer	1.4.2 → 2.1.0

---

Multer vulnerable to Denial of Service via incomplete cleanup

CVE-2026-3304 / GHSA-xf7r-hgr6-v32p

More information

Details

Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion.

Patches

Users should upgrade to 2.1.0

Workarounds

None

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/expressjs/multer/security/advisories/GHSA-xf7r-hgr6-v32p
• https://nvd.nist.gov/vuln/detail/CVE-2026-3304
• https://github.com/expressjs/multer/commit/739919097dde3921ec31b930e4b9025036fa74ee
• https://cna.openjsf.org/security-advisories.html
• https://www.cve.org/CVERecord?id=CVE-2026-3304
• https://github.com/advisories/GHSA-xf7r-hgr6-v32p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Multer vulnerable to Denial of Service via resource exhaustion

CVE-2026-2359 / GHSA-v52c-386h-88mc

More information

Details

Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion.

Patches

Users should upgrade to 2.1.0

Workarounds

None

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/expressjs/multer/security/advisories/GHSA-v52c-386h-88mc
• https://nvd.nist.gov/vuln/detail/CVE-2026-2359
• https://github.com/expressjs/multer/commit/cccf0fe0e64150c4f42ccf6654165c0d66b9adab
• https://cna.openjsf.org/security-advisories.html
• https://www.cve.org/CVERecord?id=CVE-2026-2359
• https://github.com/advisories/GHSA-v52c-386h-88mc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

expressjs/multer (multer)

v2.1.0

Compare Source

• Add defParamCharset option for UTF-8 filename support (#​1210)
• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

v2.0.2

Compare Source

• Fix CVE-2025-7338 (GHSA-fjgf-rc76-4x9p)

v2.0.1

Compare Source

• Fix CVE-2025-48997 (GHSA-g5hg-p3ph-g8qg)

v2.0.0

Compare Source

• Breaking change: The minimum supported Node version is now 10.16.0
• Fix CVE-2025-47935 (GHSA-44fp-w29j-9vj5)
• Fix CVE-2025-47944 (GHSA-4pg4-qvpc-4q3h)

v1.4.4

Compare Source

• Bugfix: Bump busboy to fix CVE-2022-24434 (#​1097)
• Breaking: Require Node.js 10.16.0 or later (#​1097)

v1.4.3

Compare Source

• Bugfix: Avoid deprecated pseudoRandomBytes function (#​774)
• Docs: Add Português Brazil translation for README (#​758)
• Docs: Clarify the callback calling convention (#​775)
• Docs: Add example on how to link to html multipart form (#​580)
• Docs: Add Spanish translation for README (#​838)
• Docs: Add Math.random() to storage filename example (#​841)
• Docs: Fix mistakes in russian doc (#​869)
• Docs: Improve Português Brazil translation (#​877)
• Docs: Update var to const in all Readmes (#​1024)
• Internal: Bump mkdirp version (#​862)
• Internal: Bump Standard version (#​878)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.