Critical Axios Flaw (CVE-2025-54371) in Form-Data Dependency Exposes Millions to HTTP Manipulation
Ddos 
Axios, the popular promise-based HTTP client for Node.js and browsers, has been found vulnerable through a critical flaw in a transitive dependency, putting millions of applications at risk of multipart/form-data manipulation. The vulnerability is tracked as CVE-2025-54371 (CVSS 7.5) and stems from insecure randomness in the form-data@4.0.0 package used by axios@1.10.0.
βA critical vulnerability exists in the form-data package used by axios@1.10.0. The issue allows an attacker to predict multipart boundary values generated using Math.random(), opening the door to HTTP parameter pollution or injection attacks,β the advisory states.
Axios is downloaded over 292 million times every month, making it one of the most widely adopted libraries in the JavaScript ecosystem. Designed to work seamlessly across browsers and Node.js environments, Axios leverages the native http module on the server and XMLHttpRequest in the browser.
But in version 1.10.0, it pulls in form-data@4.0.0 as a transitive dependencyβa version that uses non-cryptographic, deterministic randomness (Math.random()) to generate multipart boundaries.
The vulnerable form-data version produces predictable boundary strings in multipart requests. This opens the door for a malicious actor to craft multipart messages that exploit:
- HTTP parameter pollution
- Request smuggling
- Backend deserialization flaws
This kind of predictability could allow an attacker to interfere with request parsing logicβespecially in microservice or API-heavy backends that depend on strict boundary separation for security.
The Axios team has resolved the issue in version 1.11.0, which updates the form-data dependency to a patched release (>=4.0.4).
Related Posts:
- Critical Flaw (CVE-2025-7783, CVSS 9.4) in Form-Data Library Exposes Millions of Apps to Multipart Injection & RCE
- Apache Tomcat Patches 4 Flaws: DoS, Privilege Bypass, & Installer Risks Addressed
- Popular JavaScript Library ‘Axios’ Exposes Millions to Server-Side Vulnerabilities (CVE-2025-27152)
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
