Update dependency multer to v2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
multer	1.4.2 → 2.1.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-3304

Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing resource exhaustion.

Patches

Users should upgrade to 2.1.0

Workarounds

None

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVE-2026-2359

Impact

A vulnerability in Multer versions < 2.1.0 allows an attacker to trigger a Denial of Service (DoS) by dropping connection during file upload, potentially causing resource exhaustion.

Patches

Users should upgrade to 2.1.0

Workarounds

None

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVE-2026-3520

Impact

A vulnerability in Multer versions < 2.1.1 allows an attacker to trigger a Denial of Service (DoS) by sending malformed requests, potentially causing stack overflow.

Patches

Users should upgrade to 2.1.1

Workarounds

None

Resources

• GHSA-5528-5vmv-3xc2
• https://www.cve.org/CVERecord?id=CVE-2026-3520
• expressjs/multer@7e66481
• https://cna.openjsf.org/security-advisories.html

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

---

Release Notes

expressjs/multer (multer)

v2.1.1

Compare Source

• Fix CVE-2026-3520 (GHSA-5528-5vmv-3xc2)
• fix error/abort handling

v2.1.0

Compare Source

• Add defParamCharset option for UTF-8 filename support (#​1210)
• Fix CVE-2026-2359 (GHSA-v52c-386h-88mc)
• Fix CVE-2026-3304 (GHSA-xf7r-hgr6-v32p)

v2.0.2

Compare Source

• Fix CVE-2025-7338 (GHSA-fjgf-rc76-4x9p)

v2.0.1

Compare Source

• Fix CVE-2025-48997 (GHSA-g5hg-p3ph-g8qg)

v2.0.0

Compare Source

• Breaking change: The minimum supported Node version is now 10.16.0
• Fix CVE-2025-47935 (GHSA-44fp-w29j-9vj5)
• Fix CVE-2025-47944 (GHSA-4pg4-qvpc-4q3h)

v1.4.4

Compare Source

• Bugfix: Bump busboy to fix CVE-2022-24434 (#​1097)
• Breaking: Require Node.js 10.16.0 or later (#​1097)

v1.4.3

Compare Source

• Bugfix: Avoid deprecated pseudoRandomBytes function (#​774)
• Docs: Add Português Brazil translation for README (#​758)
• Docs: Clarify the callback calling convention (#​775)
• Docs: Add example on how to link to html multipart form (#​580)
• Docs: Add Spanish translation for README (#​838)
• Docs: Add Math.random() to storage filename example (#​841)
• Docs: Fix mistakes in russian doc (#​869)
• Docs: Improve Português Brazil translation (#​877)
• Docs: Update var to const in all Readmes (#​1024)
• Internal: Bump mkdirp version (#​862)
• Internal: Bump Standard version (#​878)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.