Plattform
nodejs
Komponente
form-data
Behoben in
2.5.5
3.0.1
4.0.1
2.5.4
CVE-2025-7783 identifies a critical Remote Code Execution (RCE) vulnerability within the 'form-data' library. The vulnerability stems from the library's use of Math.random() to generate boundary values for multipart form-encoded data. An attacker who can observe other Math.random() values and control a field within a request can predict future values, potentially leading to malicious manipulation and code execution. This vulnerability affects versions of 'form-data' prior to 2.5.4 and has been resolved in the updated version.
The core of this vulnerability lies in the predictability of Math.random() in JavaScript. While intended to be pseudo-random, the sequence of values generated can be influenced and predicted if an attacker can observe a few sequential outputs. By observing these values, an attacker can determine the state of the pseudo-random number generator (PRNG) and accurately predict future values, including those used to generate the boundary values for multipart form data. This allows the attacker to craft malicious requests where they can control the boundary, potentially injecting arbitrary data or manipulating the request in ways that lead to code execution on the server. The blast radius is significant, as any application using the vulnerable version of 'form-data' is at risk.
CVE-2025-7783 is considered a critical vulnerability with a CVSS score of 9.5. Public proof-of-concept (POC) exploits are likely to emerge given the severity and relatively straightforward nature of the exploit. The vulnerability was published on 2025-07-21. Active exploitation is possible, and security teams should prioritize patching.
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
The immediate and primary mitigation for CVE-2025-7783 is to upgrade the 'form-data' library to version 2.5.4 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on any data processed by the application to prevent malicious payloads from being injected. Web Application Firewalls (WAFs) can be configured to detect and block requests with suspicious multipart form data. Review and audit the application's code to identify any potential areas where the 'form-data' library is being used in a vulnerable manner. After upgrade, confirm by verifying the library version and testing multipart form data handling with various inputs.
Actualice la biblioteca form-data a la versión 2.5.4 o superior, o a una versión posterior a 3.0.3 o 4.0.3. Esto solucionará la vulnerabilidad de valores aleatorios insuficientes al elegir el límite, previniendo ataques de HTTP Parameter Pollution (HPP). Ejecute `npm install form-data@latest` o `yarn add form-data@latest` para obtener la versión más reciente.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
'form-data' is a JavaScript library that simplifies the creation of HTTP requests with data encoded in multipart/form-data format, commonly used for file uploads and sending complex data through web forms.
Version 2.5.4 fixes the CVE-2025-7783 vulnerability, which allows an attacker to predict the boundary used in multipart/form-data requests, potentially leading to request manipulation.
If you are using a version of 'form-data' older than 2.5.4, your application may be vulnerable. Review your project's dependencies and update the library.
Yes, there are other JavaScript libraries for handling multipart/form-data requests, but it's important to evaluate their security and suitability for your needs.
In addition to updating 'form-data', consider implementing robust input validation, data sanitization, and security monitoring to detect and prevent attacks.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.