Bjohansebas

**Name of the Vulnerable Software and Affected Versions** multer versions 2.0.0-alpha.1 through 2.1.1 multer version 3.0.0-alpha.1 **Description** A Denial of Service issue exists when using diskStorage. Aborted or malformed multipart uploads leave orphaned partial files on disk because the `Readable.pipe()` call does not propagate the stream destroy signal to the underlying `fs.WriteStream`. This allows an attacker to exhaust disk space by triggering numerous aborted uploads. **Recommendations** Upgrade to version 2.2.0 for versions 2.0.0-alpha.1 through 2.1.1. Upgrade to version 3.0.0-alpha.2 for version 3.0.0-alpha.1.

**Name of the Vulnerable Software and Affected Versions** webpack-dev-server versions prior to 5.2.5 **Description** A permissive user-configured proxy with a broad context (e.g., '/') and `ws: true` intercepts the development server's own Hot Module Replacement (HMR) WebSocket and forwards it to the proxy target. This results in the leakage of the browser's cookies and Origin header to the backend and bypasses the development server's Host/Origin validation. Additionally, this causes corruption of the HMR socket as both the HMR and the proxy attempt to write to the same socket. **Recommendations** Update to version 5.2.5. Scope user-defined proxy context to specific paths instead of '/'. Omit `ws: true` from the proxy entry when WebSocket forwarding is not required.