Critical Flaw (CVE-2025-7783, CVSS 9.4) in Form-Data Library Exposes Millions of Apps to Multipart Injection & RCE
Do Son 
A critical vulnerability has been uncovered in the widely used JavaScript library Form-Data, impacting millions of applications that rely on it to submit form data and file uploads. Tracked as CVE-2025-7783 and rated CVSS v4 9.4, the flaw stems from the use of Math.random() to generate boundary values in multipart form-data requests—an approach that exposes applications to predictable and exploitable behavior under certain conditions.
“This can lead to a security issue if an attacker can observe other values produced by Math.random in the target application, and can control one field of a request made using form-data,” the advisory explains.
In multipart/form-data submissions, boundary values are critical markers that separate different parts of the data. Form-Data versions prior to the patch use this line of code:
This approach makes the boundary value predictable, since Math.random() is not cryptographically secure and its output can be reverse-engineered if an attacker is able to observe a sequence of values.
The advisory notes, “An attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field.”
This creates a pathway for multipart injection, enabling attackers to tamper with or overwrite server-side fields, which could lead to unauthorized internal requests, parameter overwriting, or data exfiltration—especially in applications forwarding data to internal services or third-party APIs.
The advisory stresses that exploitation hinges on two conditions:
- The attacker must be able to observe Math.random() values, such as via headers like x-request-id or other telemetry/tracing mechanisms (e.g., OpenTelemetry uses Math.random).
- The attacker must control part of the payload sent using the Form-Data library.
In many modern applications, especially microservices that use webhook interactions or automated form submission pipelines, these two conditions are often met—making the vulnerability a real and present danger.
“If an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems,” the researcher warns.
Security researcher Ben Weissmann disclosed the issue and published a proof of concept demonstrating the attack.
The vulnerability affects the following versions of the Form-Data library:
- < 2.5.4
- 3.0.0 – 3.0.3
- 4.0.0 – 4.0.3
Patched versions are:
- 2.5.4
- 3.0.4
- 4.0.4
Developers and DevOps teams are urged to immediately update to the latest versions to mitigate the issue.
Related Posts:
- Apache Tomcat Patches 4 Flaws: DoS, Privilege Bypass, & Installer Risks Addressed
- Important wolfSSL Update: Critical Apple Trust Store Bypass & Predictable Randomness Flaws Patched
- CVE-2024-10220: Kubernetes Vulnerability Allows Arbitrary Command Execution
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
