CVE-2025-7783
Predictable Randomness vulnerability in form-data

Predictable Randomness Proof of concept Fixable By Resolved Security

What is CVE-2025-7783 About?

This vulnerability in `form-data` arises from its use of `Math.random()` to generate multipart boundary values, which can be predictable. An attacker who can observe `Math.random()` outputs may predict future boundary values, allowing them to inject additional parameters into requests. This could lead to arbitrary request modifications or bypasses of intended data integrity, and while observation of `Math.random()` values adds some complexity, it can be facilitated by common application patterns.

Affected Software

  • form-data
    • >4.0.0, <4.0.4
    • >3.0.0, <3.0.4
    • <2.5.4

Technical Details

The `form-data` library uses `Math.random()` to generate the boundary string for multipart form-encoded data. `Math.random()` is a pseudo-random number generator, and its state can be predicted if an attacker observes a sufficient number of sequential outputs. If an application reveals these `Math.random()` outputs (e.g., in `x-request-id` headers), an attacker can predict the boundary value. With this prediction, the attacker can craft a malicious payload containing the predicted boundary, effectively injecting arbitrary, attacker-controlled parameters into the multipart request. This bypasses the intended structure and allows for manipulation of data sent to internal systems. The attack is similar to an improper escaping vulnerability, allowing an attacker to 'close' the legitimate form field and add their own.

What is the Impact of CVE-2025-7783?

Successful exploitation may allow attackers to inject arbitrary parameters into requests, modify application data, or bypass security checks, potentially leading to unauthorized access or actions.

What is the Exploitability of CVE-2025-7783?

Exploitation requires two key conditions: the application must use `form-data` to send user-controlled data to another system, and it must reveal output values from `Math.random()` that an attacker can observe. The complexity is moderate, involving predicting the PRNG state based on observed values and then crafting a specific payload. No direct authentication to the `form-data` library is needed, but the attacker must have a means to interact with the application to observe random values and influence the form data submission. This is a remote attack, and it is significantly more likely if the application frequently uses `Math.random()` in observable ways (e.g., for request IDs in headers) or if the attacker can control a webhook endpoint to observe `form-data` boundaries directly.

What are the Known Public Exploits?

PoC Author Link Commentary
benweissmann Link POC of CVE-2025-7783

What are the Available Fixes for CVE-2025-7783?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

The patch replaces the use of Math.random() for generating multipart boundaries with crypto.randomBytes, making the boundary value cryptographically secure and unpredictable. This fixes CVE-2025-7783 by preventing attackers from predicting boundary values and crafting malicious multipart requests, which was possible due to the predictable Math.random() output.

Available Upgrade Options

  • form-data
    • <2.5.4 → Upgrade to 2.5.4
  • form-data
    • >3.0.0, <3.0.4 → Upgrade to 3.0.4
  • form-data
    • >4.0.0, <4.0.4 → Upgrade to 4.0.4

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-7783?

Similar Vulnerabilities: CVE-2023-29133 , CVE-2015-0205 , CVE-2018-12497 , CVE-2019-14283 , CVE-2019-19799

All Rights reserved 2025
Privacy Policy