🐛 Bug Report: Critical Vulnerability in Transitive Dependency form-data@4.0.0 via axios@1.10.0 #6969
Description
Describe the bug
Axios v1.10.0 introduces a critical vulnerability via its transitive dependency on form-data@4.0.0. According to Snyk Security Advisory SNYK-JS-FORMDATA-10841150, this version of form-data is affected by a Predictable Value Range from Previous Values issue, which can lead to HTTP parameter pollution and potentially allow boundary manipulation in multipart requests.
To Reproduce
Install axios@1.10.0 and run a Snyk test:
npm install axios@1.10.0
npx snyk test
You’ll receive:
✗ Predictable Value Range from Previous Values [Critical Severity]
in form-data@4.0.0 via axios@1.10.0 > form-data@4.0.0
This issue was fixed in: 2.5.4, 3.0.4, 4.0.4
Code snippet
Expected behavior
Expected behavior
Axios should avoid depending on a vulnerable version of form-data. The expected behavior is that form-data@4.0.4 or higher is used to prevent exposure to known critical vulnerabilities.
Axios Version
1.10.0
Adapter Version
HTTP
Browser
Chrome
Browser Version
No response
Node.js Version
18.18.0
OS
Ubuntu 22.04
Additional Library Versions
NAAdditional context/Screenshots
Snyk output (✔ = after fix):
Tested 104 dependencies for known issues, found 1 issue, 1 vulnerable path.
✗ Predictable Value Range from Previous Values [Critical Severity]
https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150
in form-data@4.0.0 via axios@1.10.0 > form-data@4.0.0
After updating form-data:
✔ Tested 57 dependencies for known issues, no vulnerable paths found.
Suggested Fix
Ensure that Axios depends on form-data@^4.0.4 or higher, which contains the upstream fix for this vulnerability.