A critical security vulnerability has been discovered in the widely used FormData npm package, affecting millions of Node.js applications worldwide.
The vulnerability, designated as CVE-2025-7783, stems from the package’s use of the predictable Math.random() A function to generate boundary values for multipart form-encoded data, potentially allowing attackers to inject malicious parameters into HTTP requests and gain unauthorized access to internal systems.
Vulnerability Details and Affected Versions
The security flaw affects multiple versions of the form-data package, including versions below 2.5.4, versions 3.0.0 through 3.0.3, and versions 4.0.0 through 4.0.3.
The vulnerability was published on July 18, 2025, and has been assigned a critical severity rating under the CVSS v4 scoring system.
The root cause lies in a single line of code within the package’s form_data.js file at line 347, where the boundary generation occurs: boundary += Math.floor(Math.random() * 10).toString(16).
This implementation creates pseudo-random boundary values that can be predicted by attackers who have observed other Math.random() outputs from the same application.
The vulnerability is similar to a recently discovered issue in the Undici package, highlighting a broader pattern of insecure random number generation in JavaScript libraries.
Technical Analysis and Exploit Mechanism
The exploitation mechanism relies on the predictable nature of JavaScript’s Math.random() function, which implements a pseudo-random number generator (PRNG) whose state can be determined through observation of sequential values.
Attackers who can observe other Math.random() outputs from the target application, such as through x-request-id headers used in distributed tracing systems, can predict future boundary values generated by form-data.
Once an attacker can predict the boundary value, they can craft malicious payloads containing the boundary string followed by additional form parameters, effectively injecting unauthorized data into multipart form requests.
This technique is comparable to improper escaping vulnerabilities but requires the additional step of solving for the PRNG state through side-channel observation.
A proof-of-concept demonstration has been made available at https://github.com/benweissmann/CVE-2025-7783-poc.
Impact and Remediation Steps
For applications to be vulnerable, they must use form-data to transmit user-controlled data to other systems while simultaneously exposing Math.random() values through observable channels.
Successful exploitation allows attackers to make arbitrary requests to internal systems, potentially leading to data breaches, unauthorized access, and compromise of backend infrastructure.
Developers should immediately update to the patched versions: 4.0.4, 3.0.4, or 2.5.4.
The patches replace the insecure Math.random() implementation with cryptographically secure random number generation, eliminating the predictability that enables this attack vector.
Organizations should also audit their applications for other instances of Math.random() usage in security-sensitive contexts and implement proper random number generation practices across their codebase.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
%20(1).webp?resize=1600,900&ssl=1&description=A critical security vulnerability has been discovered in the widely used FormData npm package, affecting millions of Node.js applications worldwide.){kind=link}