CVE-2025-7783: 
JavaScript vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-7783) has been discovered in the Form-Data JavaScript library, affecting versions prior to 2.5.4, 3.0.0-3.0.3, and 4.0.0-4.0.3. The vulnerability stems from the use of insufficiently random values in form-data that allows HTTP Parameter Pollution (HPP). The flaw has been assigned a CVSS v4 score of 9.4 (Critical) (NVD, Security Online).

The vulnerability resides in the form-data library's core functionality, specifically in the boundary value generation for multipart form-encoded data. The problematic code uses Math.random() to generate boundary values: 'boundary += Math.floor(Math.random() * 10).toString(16)'. This implementation is predictable when an attacker can observe sequential values from the same pseudo-random number generator (PRNG) state. The vulnerability requires two conditions: the ability to observe Math.random() values and control over part of the payload sent using the Form-Data library (GitHub Advisory, Cybersecurity News).

The vulnerability can lead to multipart injection attacks, enabling attackers to manipulate or overwrite server-side fields. This could result in unauthorized internal requests, parameter overwriting, or data exfiltration, particularly in applications that forward data to internal services or third-party APIs. The impact is especially significant in modern applications and microservices that use webhook interactions or automated form submission pipelines (Security Online).

Patches have been released across all affected version branches. Users should immediately upgrade to version 4.0.4, 3.0.4, or 2.5.4, depending on their current major version. The patches replace the predictable Math.random() implementation with cryptographically secure random number generation for boundary value creation (Cybersecurity News).