What is the critical form-data JavaScript library vulnerability CVE-2025-7783?

CVE-2025-7783 is a critical vulnerability with a CVSS score of 9.4 affecting the form-data JavaScript library that could lead to remote code execution and data exfiltration. The vulnerability is caused by the use of Math.random() to generate boundary values in multipart form-data requests, creating predictable and exploitable behavior.

What is the form-data JavaScript library?

The form-data JavaScript library is used in the JavaScript ecosystem for handling file uploads and form submissions. This widespread usage makes the vulnerability particularly concerning for enterprise applications and cloud services that rely on this library.

What causes the CVE-2025-7783 vulnerability?

The vulnerability is caused by the use of Math.random() to generate boundary values in multipart form-data requests. The problematic code uses 'boundary += Math.floor(Math.random() * 10).toString(16)' which creates predictable boundary values because Math.random() is not cryptographically secure and its output can be reverse-engineered.

What conditions are required to exploit CVE-2025-7783?

Successful exploitation requires two conditions: 1) The attacker must be able to observe Math.random() values, such as via headers like x-request-id or other telemetry/tracing mechanisms (e.g., OpenTelemetry uses Math.random), and 2) The attacker must control part of the payload sent using the Form-Data library.

Which form-data library versions are affected by CVE-2025-7783?

The affected versions are: versions prior to 2.5.4, versions 3.0.0 through 3.0.3, and versions 4.0.0 through 4.0.3. These versions use the vulnerable Math.random() implementation for boundary generation.

What is the CVSS score for CVE-2025-7783?

CVE-2025-7783 has a CVSS score of 9.4, which indicates critical severity. This high score reflects the potential for remote code execution and data exfiltration in affected applications.

How was the form-data vulnerability fixed?

The vulnerability was fixed by replacing Math.random() with cryptographically secure random number generation in the boundary value creation process. This eliminates the predictability that enabled boundary value prediction attacks.

What should developers do about the form-data vulnerability?

Developers and DevOps teams are urged to immediately update to the latest patched versions (2.5.4, 3.0.4, or 4.0.4) to mitigate the vulnerability. Organizations should also audit their applications to identify usage of the vulnerable form-data library versions.

What types of applications are most at risk from CVE-2025-7783?

Enterprise applications and cloud services that use the form-data library for handling file uploads and form submissions are most at risk. Applications with distributed tracing, request correlation, or webhook processing systems are particularly vulnerable due to the exploitation conditions.

How can Math.random() values be observed by attackers?

Attackers can observe Math.random() values through various mechanisms including headers like x-request-id, telemetry and tracing systems such as OpenTelemetry which uses Math.random(), and other application-level debugging or monitoring features that expose these values.

What are the potential impacts of exploiting CVE-2025-7783?

Successful exploitation could lead to remote code execution and data exfiltration. Attackers could manipulate form data processing, potentially gaining unauthorized access to sensitive information or executing malicious code on affected systems.

Advisory

Critical Math.random() flaw in form-data JavaScript library enables request injection attacks

Q: Which form-data library versions have been patched for CVE-2025-7783?

The patched versions are 2.5.4, 3.0.4, and 4.0.4. These versions replace Math.random() with cryptographically secure random number generation, eliminating the predictability that enables boundary value prediction attacks.

Q: How do attackers exploit the form-data vulnerability?

Attackers who can predict the output of Math.random() can predict boundary values and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This allows them to manipulate form data processing and potentially achieve remote code execution or data exfiltration.

Q: Why are modern microservices particularly vulnerable to CVE-2025-7783?

The required exploitation conditions are frequently met in modern microservices architectures that implement distributed tracing, request correlation, or webhook processing systems. These systems often expose Math.random() values through telemetry mechanisms and allow attackers to control parts of payloads.

published: July 23, 2025

Take action: If you're using the form-data JavaScript library in your applications, plan an update to the latest patched versions (2.5.4, 3.0.4, or 4.0.4). There's an exploitable scenario in file upload mechanisms.

Learn More

A critical vulnerability his reported in the form-data JavaScript library that could lead to remote code execution and data exfiltration. The form-data library is used in the JavaScript ecosystem for handling file uploads and form submissions, making this vulnerability particularly concerning for enterprise applications and cloud services.

The vulnerability is tracked as CVE-2025-7783 (CVSS score 9.4), and is caused by the use of Math.random() to generate boundary values in multipart form-data requests—an approach that exposes applications to predictable and exploitable behavior under certain conditions.

Form-Data versions prior to the patch use this line of code:

boundary += Math.floor(Math.random() * 10).toString(16),

which creates predictable boundary values because Math.random() is not cryptographically secure and its output can be reverse-engineered if an attacker observes a sequence of values. An attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field.

Successful exploitation requires two conditions to be met:

The attacker must be able to observe Math.random() values, such as via headers like x-request-id or other telemetry/tracing mechanisms (e.g., OpenTelemetry uses Math.random).
The attacker must control part of the payload sent using the Form-Data library.

These conditions are frequently met in modern microservices architectures that implement distributed tracing, request correlation, or webhook processing systems.

Affected Versions:

< 2.5.4
3.0.0 – 3.0.3
4.0.0 – 4.0.3

Patched Versions:

2.5.4
3.0.4
4.0.4

The patches replace Math.random() with cryptographically secure random number generation, eliminating the predictability that enables boundary value prediction attacks. Developers and DevOps teams are urged to immediately update to the latest versions to mitigate the issue.

Critical Math.random() flaw in form-data JavaScript library enables request injection attacks

Read More
Microsoft reports critical flaw in Power Automate
Critical stack buffer overflow flaw in Redis database …
Gogs Zero-Day vulnerability actively exploited
Vulnerability in aiohttp scanned for exploit by ShadowSyndicate …
Critical build cache flaw exposes organizations to production …