CVE-2025-7783
BaseFortify
Publication date: 2025-07-18
Last updated on: 2025-11-03
Assigner: harborist
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| form-data | form-data | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-330 | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-7783 is a vulnerability in the form-data Node.js library where the multipart form-data boundary string was generated using JavaScript's Math.random(), which is predictable. This predictability allows attackers to foresee the boundary values used in form-data requests, enabling them to craft malicious payloads that inject additional attacker-controlled parameters into multipart requests. The vulnerability arises because the boundary string is insufficiently random, making it possible to perform HTTP Parameter Pollution (HPP) attacks by manipulating form-data parsing. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject unauthorized parameters into multipart form-data requests sent to your application. By predicting the boundary string, attackers can manipulate form parameters, potentially compromising the confidentiality and integrity of data processed by your system. This could lead to unauthorized data modification or leakage, depending on how your application handles repeated or injected parameters. The attack requires no privileges or user interaction but does require the attacker to observe some outputs of Math.random() to predict the boundary. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for predictable multipart form-data boundary strings generated by vulnerable versions of the form-data library. One can analyze HTTP requests containing multipart form-data to identify boundary strings that follow the predictable pattern generated by Math.random(). Additionally, observing repeated or suspicious form-data boundaries or unexpected repeated parameters in multipart requests may indicate exploitation attempts. While no specific commands are provided, inspecting HTTP traffic with tools like Wireshark or using custom scripts to detect predictable boundary patterns based on the fixed prefix and weak randomness can help detect the vulnerability. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the form-data library to a patched version where the vulnerability is fixed. Specifically, update to version 2.5.4, 3.0.4, or 4.0.4 or later, which replace the insecure Math.random() boundary generation with cryptographically secure random bytes using Node.js's crypto.randomBytes() function. This change prevents attackers from predicting boundary strings and injecting malicious parameters. Additionally, reviewing and restricting the handling of repeated parameters in multipart requests on the server side can reduce impact. [1, 2]