A critical security vulnerability has been identified in the widely-used JavaScript library, form-data, potentially exposing millions of applications to code execution attacks. This flaw, designated as CVE-2025-7783, arises from the library’s reliance on the predictable `Math.random()` function to generate boundary values for multipart form-encoded data. This predictability allows attackers to manipulate HTTP requests and inject malicious parameters into backend systems.
Technical Details of the Vulnerability
The vulnerability is rooted in a specific line of code within the form-data library’s core functionality. Particularly, line 347 of the `form_data.js` file contains the following code:
“`javascript
boundary += Math.floor(Math.random() 10).toString(16);
“`
This implementation utilizes JavaScript’s `Math.random()` function, which generates pseudo-random numbers. These numbers can be predictable if an attacker can observe sequential values from the same pseudo-random number generator (PRNG) state.
The form-data library is instrumental in creating readable multipart/form-data streams for submitting forms and file uploads to web applications. When generating boundaries to separate different parts of multipart data, the library depends on `Math.random()` values. Sophisticated attackers can predict these values by analyzing other `Math.random()` outputs produced by the target application, thereby determining the PRNG state and forecasting future boundary values with high accuracy.
Affected Versions and Scope
The vulnerability impacts multiple versions of the form-data npm package, including:
– Versions below 2.5.4
– Versions 3.0.0 through 3.0.3
– Versions 4.0.0 through 4.0.3
This encompasses a significant portion of applications utilizing the form-data library for handling multipart form submissions and file uploads.
Conditions for Exploitation
For an application to be vulnerable, two conditions must be met:
1. The application must use form-data to send user-controlled data to other systems.
2. It must reveal `Math.random()` values through observable channels.
Common scenarios include applications that generate request IDs using `Math.random()` for distributed tracing, similar to how OpenTelemetry implements random ID generation for correlation across frontend and backend systems.
Attack Methodology
The attack methodology closely mirrors a recently discovered vulnerability in the undici HTTP client library. Attackers can craft payloads containing predicted boundary values followed by additional, fully attacker-controlled fields. This effectively bypasses input sanitization and allows injection of arbitrary parameters into backend requests. Depending on how the target system handles repeated parameters, attackers may be able to either append new values or overwrite existing ones entirely.
Severity and Impact
The vulnerability has been assigned a critical severity rating, reflecting high impact on both confidentiality and integrity.
Risk Factors
– Affected Products: form-data library (npm package)
– Versions < 2.5.4
- Versions 3.0.0 – 3.0.3
- Versions 4.0.0 – 4.0.3
- Impact:
- Parameter injection attacks
- Potential code execution on backend systems
- Exploit Prerequisites:
- Application uses form-data with user-controlled data
- `Math.random()` values observable by attacker
- Ability to predict PRNG state from sequential values
- Target system vulnerable to parameter injection
Mitigation Measures
To address this vulnerability, it is imperative to upgrade the form-data library to the latest patched versions:
- Version 4.0.4
- Version 3.0.4
- Version 2.5.4
Developers and system administrators should prioritize updating to these versions immediately to mitigate the risk of exploitation.
Broader Implications
This vulnerability underscores the critical importance of using secure random number generators in cryptographic and security-sensitive operations. The predictability of `Math.random()` has been a known issue, yet it continues to be used in contexts where unpredictability is paramount.
Moreover, this incident highlights the necessity for developers to stay vigilant about the libraries and dependencies they incorporate into their applications. Regularly updating libraries and monitoring for security advisories are essential practices to maintain the security and integrity of software systems.
Conclusion
The discovery of CVE-2025-7783 in the form-data library serves as a stark reminder of the potential risks associated with predictable random number generation in security-sensitive applications. By promptly updating to the patched versions and adhering to best practices in dependency management, developers can safeguard their applications against such vulnerabilities and ensure the protection of user data and system integrity.
