Dicer Module Vulnerability Mitigation Guide: CVE-2022-24434

🧭 Summary

🧨 Vulnerability Overview

• Attack Vector: Crafted multipart/form-data header with whitespace/tab prefix causes server crash
• Affected Code: HeaderParser.prototype._parseHeader() inside Dicer
• Report Date: May 20, 2022 (NVD Link)

Express → Multer → Busboy → Dicer (vulnerable layer)

🔧 Patch Details

✅ Multer 1.4.4-lts.1

• Uses busboy 1.6.0+ to avoid vulnerable dicer
• Adopted by NestJS (PR #9686)

⚠️ No Official Patch from Dicer

• PR exists: #22
• Not merged or released → still vulnerable

📦 Dependency Chain Analysis

🛠 Mitigation Guide

1️⃣ Upgrade Node.js

• Minimum: v6.0.0
• Recommended: v14 or higher

2️⃣ Upgrade Multer

npm install multer@1.4.4-lts.1

Or in package.json:

"dependencies": {
  "multer": "^1.4.4-lts.1"
}

3️⃣ Use npm Overrides (npm ≥ 8.3.0)

"overrides": {
  "multer": "^1.4.4-lts.1"
}

4️⃣ Apply Manual Patch (if no official fix)

Patch dicer using patch-package

npm install patch-package --save-dev

In package.json:

"scripts": {
  "postinstall": "patch-package"
}

Edit node_modules/dicer/lib/Dicer.js:

@@ -124,7 +124,11 @@
   this._bparser.on('info', function(isMatch, data, start, end) {
-    self._oninfo(isMatch, data, start, end);
+    try {
+      self._oninfo(isMatch, data, start, end);
+    } catch (e) {
+      self.emit('error', e);
+    }
   });

Then:

npx patch-package dicer

⚠️ This is a temporary workaround, not an official fix. You’ll need to reapply the patch if Dicer’s version changes.

🔍 Long-Term Considerations

• dicer is poorly maintained and lacks official updates
• Consider switching to alternatives like @fastify/busboy or fastify-multipart

📚 References

• 🔒 CVE-2022-24434 (NVD)
• 📦 Multer GitHub Releases
• 🛠 Dicer PR #22
• ✅ NestJS PR #9686
• 🧪 Snyk Report for Multer
• 🗂 Stack Overflow Discussion

✅ Conclusion

• Multer@1.4.4-lts.1 provides an indirect fix for CVE-2022-24434
• On Node.js ≥6, upgrading Multer may be sufficient
• In the long run, plan for dependency removal or structural replacement