A critical security vulnerability has been discovered in the widely-used form-data JavaScript package, potentially exposing thousands of applications to remote attacks through predictable boundary value generation.
The vulnerability, designated as CVE-2025-7783, was published five days ago by Jordan Harband (ljharb), a prominent JavaScript developer and former TC39 specification editor.
Vulnerability Overview
The security flaw stems from form-data’s reliance on JavaScript’s Math.random() function to generate boundary values for multipart form-encoded data.
This seemingly innocuous design choice creates a critical security weakness because Math.random() produces pseudo-random, predictable values that sophisticated attackers can exploit to inject malicious parameters into HTTP requests.
| Attribute | Value |
| CVE ID | CVE-2025-7783 |
| Severity | Critical |
| CVSS 4.0 Score | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N |
| CWE Classification | CWE-330 (Use of Insufficiently Random Values) |
| Affected Package | form-data (npm) |
| Vulnerable Versions | < 2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3 |
| Patched Versions | 2.5.4, 3.0.4, 4.0.4 |
| Attack Vector | Network |
| Attack Complexity | High |
The vulnerability affects multiple versions of the form-data package, including all versions prior to 2.5.4, versions 3.0.0 through 3.0.3, and versions 4.0.0 through 4.0.3.
Organizations using these versions face immediate risk of parameter injection attacks that could compromise internal systems and expose sensitive data.
Attackers can exploit this vulnerability by observing Math.random() values generated by target applications and using mathematical techniques to predict the pseudo-random number generator’s internal state.
Once the PRNG state is determined, attackers can forecast future boundary values and craft malicious payloads containing predicted boundaries followed by attacker-controlled fields.
The attack scenario requires two conditions: the attacker must observe other Math.random() values produced by the target application, and they must control at least one field in a form-data request.
Common observation vectors include request ID headers used for distributed tracing, which frequently employ Math.random() for generation.
Applications become vulnerable when they use form-data to transmit user-controlled data to backend systems while simultaneously revealing Math.random() values through various channels.
Successful exploitation allows attackers to inject arbitrary parameters into requests, potentially overwriting intended values or adding malicious data that bypasses security controls.
The vulnerability received a critical CVSS 4.0 rating due to its network-based attack vector and potential for high impact on both confidential data and system integrity.
Security researchers have developed proof-of-concept exploits demonstrating practical exploitation scenarios.
Organizations must immediately upgrade to patched versions: 2.5.4, 3.0.4, or 4.0.4, depending on their current implementation.
The patches replace Math.random() with cryptographically secure random number generation, eliminating the predictability that enables these attacks.
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
