Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2025-7783

UNKNOWN
Published 2025-07-18T16:34:44.889Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2025-7783. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.

This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

Available Exploits

No exploits available for this CVE.

Related News

Inverting the Xorshift128 random number generator

CVE-2025-7783 is a very recent vulnerability affecting a lot of applications in the Node.js ecosystem including those which use axios or the deprecated request library. In all honesty, this vulnera…

Wordpress.com 2025-08-31 18:49
Read More

Affected Products

Unknown Vendor

Unknown Product

Affected Versions:

< 2.5.4 3.0.0 - 3.0.3 4.0.0 - 4.0.3

EU Vulnerability Database

Monitored by ENISA for EU cybersecurity

EU Coordination

EU Coordinated

Exploitation Status

No Known Exploitation

EUVD ID

View on ENISA

ENISA Analysis

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.

This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

ENISA Scoring

CVSS Score (4.0)

9.4
/10
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

EPSS Score

0.020
probability

ENISA References

https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4
https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0

Data provided by ENISA EU Vulnerability Database. Last updated: July 22, 2025

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed CRITICAL

form-data uses unsafe random function in form-data for choosing boundary

GHSA-fjxv-7rqg-78g4

Advisory Details

### Summary form-data uses `Math.random()` to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker: 1. can observe other values produced by Math.random in the target application, and 2. can control one field of a request made using form-data Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request. This is largely the same vulnerability as was [recently found in `undici`](https://hackerone.com/reports/2913312) by [`parrot409`](https://hackerone.com/parrot409?type=user) -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work. ### Details The culprit is this line here: https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347 An attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a `x-request-id` header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. `Math.random()` is a fine place to get these sorts of IDs (in fact, [opentelemetry uses Math.random for this purpose](https://github.com/open-telemetry/opentelemetry-js/blob/2053f0d3a44631ade77ea04f656056a2c8a2ae76/packages/opentelemetry-sdk-trace-base/src/platform/node/RandomIdGenerator.ts#L22)) ### PoC PoC here: https://github.com/benweissmann/CVE-2025-7783-poc Instructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID). ### Impact For an application to be vulnerable, it must: - Use `form-data` to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array) - Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values. If an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.

Affected Packages

npm form-data
ECOSYSTEM: ≥0 <2.5.4
npm form-data
ECOSYSTEM: ≥3.0.0 <3.0.4
npm form-data
ECOSYSTEM: ≥4.0.0 <4.0.4

CVSS Scoring

CVSS Score

9.0

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

References

WEB https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-7783
WEB https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0
WEB https://github.com/benweissmann/CVE-2025-7783-poc
PACKAGE https://github.com/form-data/form-data

Advisory provided by GitHub Security Advisory Database. Published: July 21, 2025, Modified: July 21, 2025

Social Media Intelligence

Real-time discussions and threat intelligence from social platforms

2 posts
Reddit 5 days, 12 hours ago
michaelpaoli

Debian 13.1 (and 12.12) 2025-09-06 "Just" a "minor" point release. But for those that have been waiting to upgrade to Debian 13, perhaps that time now draws nearer? [\[SUA 273-1\] Upcoming Debian 13 Update (13.1)](https://lists.debian.org/debian-stable-announce/2025/09/msg00000.html) [\[SUA 274-1\] Upcoming Debian 12 Update (12.12)](https://lists.debian.org/debian-stable-announce/2025/09/msg00001.html) 13.1: >\[SUA 273-1\] Upcoming Debian 13 Update (13.1) …

Also mentions: CVE-2025-7039 CVE-2025-40927 CVE-2025-9185 CVE-2025-9181 CVE-2025-47806 CVE-2025-47219 CVE-2025-47807 CVE-2025-47808 CVE-2025-53859 CVE-2025-50952 CVE-2025-54798 CVE-2025-54874 CVE-2025-54350 CVE-2025-54349 CVE-2025-27613 CVE-2025-27614 CVE-2025-20260 CVE-2025-23048 CVE-2025-46835 CVE-2025-49812 CVE-2025-49630 CVE-2025-53019 CVE-2025-53101 CVE-2025-53020 CVE-2025-8058 CVE-2024-42516 CVE-2024-43394 CVE-2024-43204 CVE-2024-47252 CVE-2025-6965 CVE-2025-7394 CVE-2025-53015 CVE-2025-53014 CVE-2025-48385 CVE-2025-48384 CVE-2024-25178 CVE-2024-25177 CVE-2024-25176 CVE-2025-4748 CVE-2024-6174 CVE-2024-11584 CVE-2025-6170 CVE-2025-49794 CVE-2025-49796 CVE-2025-6021 CVE-2025-5916 CVE-2025-5915 CVE-2025-5914 CVE-2025-5917 CVE-2025-49133 CVE-2025-48387 CVE-2025-27553 CVE-2025-27773 CVE-2025-48734 CVE-2025-46712 CVE-2025-46393 CVE-2025-46398 CVE-2025-46397 CVE-2025-47203 CVE-2023-52970 CVE-2023-26819 CVE-2025-40908 CVE-2025-40909 CVE-2025-4373 CVE-2023-53154 CVE-2025-2784 CVE-2025-48060 CVE-2025-47273 CVE-2025-4802 CVE-2025-46399 CVE-2025-46400 CVE-2025-46337 CVE-2025-32050 CVE-2025-46421 CVE-2025-46420 CVE-2025-43965 CVE-2025-43964 CVE-2025-43963 CVE-2025-43962 CVE-2025-43961 CVE-2025-3818 CVE-2025-32906 CVE-2025-32912 CVE-2025-32911 CVE-2025-30722 CVE-2025-30693 CVE-2025-3576 CVE-2025-32910 CVE-2025-32909 CVE-2025-32913 CVE-2025-32053 CVE-2025-32052 CVE-2025-32051 CVE-2024-12905 CVE-2025-30472 CVE-2024-6866 CVE-2024-6844 CVE-2024-6839 CVE-2024-8176 CVE-2023-52971 CVE-2023-52969 CVE-2025-27516 CVE-2025-27221 CVE-2022-37660 CVE-2024-56161 CVE-2025-20128 CVE-2025-23016 CVE-2024-34703 CVE-2024-34702 CVE-2024-45236 CVE-2024-45234 CVE-2024-45235 CVE-2024-45238 CVE-2024-45237 CVE-2024-45239 CVE-2024-0962 CVE-2024-10525 CVE-2024-31031 CVE-2024-38875 CVE-2024-57822 CVE-2024-57823 CVE-2024-3935 CVE-2024-42005 CVE-2024-39330 CVE-2024-39329 CVE-2024-39917 CVE-2024-39312 CVE-2024-39614 CVE-2024-52532 CVE-2024-52530 CVE-2024-52531 CVE-2024-33899 CVE-2024-50602 CVE-2024-50624 CVE-2024-50383 CVE-2024-50612 CVE-2024-5569 CVE-2024-49768 CVE-2024-49769 CVE-2024-1681 CVE-2024-41991 CVE-2024-41990 CVE-2024-41989 CVE-2024-8376 CVE-2023-36053 CVE-2023-31484 CVE-2023-28755 CVE-2023-28366 CVE-2023-42822 CVE-2023-52425 CVE-2023-40184 CVE-2022-33065 CVE-2021-46312 CVE-2021-46310 CVE-2021-25743 CVE-2019-25211
70
8
86.0
View Original
Reddit 1 month, 2 weeks ago
_cybersecurity_

Serious Flaw in JavaScript Library Threatens Millions of Apps **A critical vulnerability in the JavaScript form-data library puts millions of applications at risk of code execution attacks.** **Key Points:** - form-data library's use of Math.random() leads to parameter injection vulnerabilities. - Versions below 2.5.4, 3.0.0-3.0.3, and 4.0.0-4.0.3 are at risk. …

11
1
13.0
View Original

References

https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4
https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0
Published: 2025-07-18T16:34:44.889Z
Last Modified: 2025-07-22T14:54:31.105Z
Copied to clipboard!