Platform
nodejs
Component
form-data
Fixed in
2.5.5
3.0.1
4.0.1
2.5.4
CVE-2025-7783 describes a security vulnerability within the form-data library, where the use of Math.random() for generating multipart form boundary values can lead to predictability. An attacker observing Math.random() outputs can predict future boundary values, potentially compromising data integrity. This affects versions prior to 2.5.4, which includes a fix to address this issue.
CVE-2025-7783 in the 'form-data' library stems from the use of Math.random() to generate the boundary for multipart form-encoded data. If an attacker can observe other values produced by Math.random() within the target application and also control one field of a request made using 'form-data', a significant security risk arises. Because Math.random() values are pseudo-random and predictable (as detailed in https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can potentially predict the boundary used in subsequent requests. This could allow for manipulation of the multipart request, potentially leading to code injection or data alteration.
Exploiting this vulnerability requires a deep understanding of the application's internal workings and the ability to observe and manipulate HTTP requests. The attacker needs to be able to influence a field in the multipart request and simultaneously observe the values generated by Math.random() to predict the boundary. The success of exploitation depends on the attacker's ability to correlate Math.random() observations with the boundary used in the request. The complexity of exploitation varies based on the application's architecture and implemented security measures.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
The recommended solution is to update the 'form-data' library to version 2.5.4 or higher. This version addresses the vulnerability by employing a more secure and less predictable method for boundary generation. Additionally, review your application's code to identify any reliance on Math.random() in sensitive contexts and consider more robust alternatives for random number generation, especially when security is paramount. Implementing logging and monitoring can aid in detecting exploitation attempts.
Update the form-data library to version 2.5.4 or higher, or to a version later than 3.0.3 or 4.0.3. This will fix the insufficient random values vulnerability when choosing the boundary, preventing HTTP Parameter Pollution (HPP) attacks. Run `npm install form-data@latest` or `yarn add form-data@latest` to get the latest version.
Vulnerability analysis and critical alerts directly to your inbox.
'form-data' is a JavaScript library that simplifies the creation of HTTP requests with data encoded in multipart/form-data format, commonly used for file uploads and sending complex data through web forms.
Version 2.5.4 fixes the CVE-2025-7783 vulnerability, which allows an attacker to predict the boundary used in multipart/form-data requests, potentially leading to request manipulation.
If you are using a version of 'form-data' older than 2.5.4, your application may be vulnerable. Review your project's dependencies and update the library.
Yes, there are other JavaScript libraries for handling multipart/form-data requests, but it's important to evaluate their security and suitability for your needs.
In addition to updating 'form-data', consider implementing robust input validation, data sanitization, and security monitoring to detect and prevent attacks.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.