CVE-2025-7783

Name of the Vulnerable Software and Affected Versions form-data versions < 2.5.4 form-data versions 3.0.0 through 3.0.3 form-data versions 4.0.0 through 4.0.3

Description A vulnerability exists in the form-data JavaScript library due to the use of insufficiently random values when generating boundary values for multipart form-encoded data. This predictability allows attackers to manipulate HTTP requests, potentially injecting malicious parameters into backend systems. The vulnerability arises from the library utilizing the Math.random() function, which is known to be pseudo-random and predictable. An attacker who can observe Math.random() values generated by the application can predict future values, including the boundary value, and craft a malicious payload. This can lead to HTTP Parameter Pollution (HPP) and potentially remote code execution (RCE). The vulnerability requires the application to use form-data with user-controlled data and expose Math.random() values.

Recommendations Update to form-data version 4.0.4. Update to form-data version 3.0.4. Update to form-data version 2.5.4.