Critical severityNVD Advisory· Published Jul 18, 2025· Updated Apr 15, 2026
CVE-2025-7783
CVE-2025-7783
Description
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
form-datanpm | < 2.5.4 | 2.5.4 |
form-datanpm | >= 3.0.0, < 3.0.4 | 3.0.4 |
form-datanpm | >= 4.0.0, < 4.0.4 | 4.0.4 |
Patches
13d1723080e65[Fix] Switch to using `crypto` random for boundary values
3 files changed · +62 −6
lib/form_data.js+2 −6 modified@@ -8,6 +8,7 @@ var https = require('https'); var parseUrl = require('url').parse; var fs = require('fs'); var Stream = require('stream').Stream; +var crypto = require('crypto'); var mime = require('mime-types'); var asynckit = require('asynckit'); var setToStringTag = require('es-set-tostringtag'); @@ -345,12 +346,7 @@ FormData.prototype._generateBoundary = function () { // This generates a 50 character boundary similar to those used by Firefox. // They are optimized for boyer-moore parsing. - var boundary = '--------------------------'; - for (var i = 0; i < 24; i++) { - boundary += Math.floor(Math.random() * 10).toString(16); - } - - this._boundary = boundary; + this._boundary = '--------------------------' + crypto.randomBytes(12).toString('hex'); }; // Note: getLengthSync DOESN'T calculate streams length
package.json+3 −0 modified@@ -58,6 +58,9 @@ "istanbul": "^0.4.5", "obake": "^0.1.2", "pkgfiles": "^2.3.2", + "pre-commit": "^1.2.2", + "predict-v8-randomness": "^1.0.35", + "puppeteer": "^1.20.0", "request": "~2.87.0", "rimraf": "^2.7.1", "tape": "^5.9.0"
test/integration/test-boundary-prediction.js+57 −0 added@@ -0,0 +1,57 @@ +var common = require('../common'); +var assert = common.assert; +var FormData = require(common.dir.lib + '/form_data'); +var predictV8Randomness = require('predict-v8-randomness'); + +var initialSequence = [ + Math.random(), + Math.random(), + Math.random(), + Math.random(), +]; +var predictor = new predictV8Randomness.Predictor(initialSequence); + +predictor.predictNext(24).then(function (next24RandomOutputs) { + var predictedBoundary = next24RandomOutputs + .map(function (v) { + return Math.floor(v * 10).toString(16); + }) + .join(''); + + var boundaryIntro = '----------------------------'; + + var payload = + 'zzz\r\n' + + boundaryIntro + + predictedBoundary + + '\r\nContent-Disposition: form-data; name="is_admin"\r\n\r\ntrue\r\n' + + boundaryIntro + + predictedBoundary + + '--\r\n'; + + var FIELDS = { + my_field: { + value: payload, + }, + }; + + // count total + var fieldsPassed = Object.keys(FIELDS).length; + + // prepare form-receiving http server + var server = common.testFields(FIELDS, function (fields) { + fieldsPassed = fields; + }); + + server.listen(common.port, function () { + var form = new FormData(); + + common.actions.populateFields(form, FIELDS); + + common.actions.submit(form, server); + }); + + process.on('exit', function () { + assert.strictEqual(fieldsPassed, 0); + }); +});
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-fjxv-7rqg-78g4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-7783ghsaADVISORY
- github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0nvdWEB
- github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4nvdWEB
- lists.debian.org/debian-lts-announce/2025/07/msg00023.htmlnvdWEB
News mentions
0No linked articles in our index yet.