Critical Vulnerability in JavaScript Library Exposes Millions of Apps to Code Execution Attacks

A critical security vulnerability has been discovered in the widely-used JavaScript form-data library, potentially exposing millions of applications to code execution attacks. 

The vulnerability, assigned CVE-2025-7783, stems from the library’s use of the predictable Math.random() function to generate boundary values for multipart form-encoded data, allowing attackers to manipulate HTTP requests and inject malicious parameters into backend systems.

Key Takeaways
1. form-data library uses predictable Math.random(), enabling parameter injection attacks.
2. Millions of apps vulnerable across versions <2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3.
3. Upgrade to 4.0.4, 3.0.4, or 2.5.4 immediately.

Technical Details of the Vulnerability

The advisory published on GitHub states that the vulnerability resides in a single line of code within the form-data library’s core functionality. Specifically, line 347 of the form_data.js file contains the problematic code: boundary += Math.floor(Math.random() * 10).toString(16);. 

This implementation uses JavaScript’s Math.random() function, which generates pseudo-random numbers that are predictable when an attacker can observe sequential values from the same pseudo-random number generator (PRNG) state.

The form-data library creates readable “multipart/form-data” streams for submitting forms and file uploads to web applications. 

When generating boundaries to separate different parts of multipart data, the library relies on Math.random() values that can be predicted by sophisticated attackers. 

Security researchers have demonstrated that by observing other Math.random() values produced by the target application, attackers can determine the PRNG state and predict future boundary values with high accuracy.

The vulnerability affects multiple versions of the popular npm package, including versions below 2.5.4, versions 3.0.0 through 3.0.3, and versions 4.0.0 through 4.0.3. 

This represents a significant portion of applications using the form-data library for handling multipart form submissions and file uploads.

For an application to be vulnerable, two conditions must be met: the application must use form-data to send user-controlled data to other systems, and it must reveal Math.random() values through observable channels. 

Common scenarios include applications that generate request IDs using Math.random() for distributed tracing, similar to how OpenTelemetry implements random ID generation for correlation across frontend and backend systems.

The attack methodology closely mirrors a recently discovered vulnerability in the undici HTTP client library. 

Attackers can craft payloads containing predicted boundary values followed by additional, fully attacker-controlled fields. 

This effectively bypasses input sanitization and allows injection of arbitrary parameters into backend requests. 

Depending on how the target system handles repeated parameters, attackers may be able to either append new values or overwrite existing ones entirely.

The vulnerability has been assigned a critical severity rating with a CVSS v4 base score reflecting high impact on both confidentiality and integrity. 

Mitigation

Patches have been released across all affected version branches of the form-data library. 

Users should immediately upgrade to version 4.0.4, 3.0.4, or 2.5.4, depending on their current major version. 

The patches replace the predictable Math.random() implementation with cryptographically secure random number generation for boundary value creation.

Organizations should conduct immediate inventory of applications using the form-data library and prioritize updates based on exposure risk. 

Additionally, security teams should review applications for other instances where Math.random() values might be observable to potential attackers, as this represents a broader class of vulnerability beyond the specific form-data issue.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now