Skip to content

Comments

Bump form-data to bring in fix for critical vulnerability#652

Merged
HarithaVattikuti merged 1 commit intoactions:mainfrom
gowridurgad:bumps-form-data
Jul 30, 2025
Merged

Bump form-data to bring in fix for critical vulnerability#652
HarithaVattikuti merged 1 commit intoactions:mainfrom
gowridurgad:bumps-form-data

Conversation

@gowridurgad
Copy link
Contributor

@gowridurgad gowridurgad commented Jul 30, 2025
edited
Loading

This PR upgrades the form-data dependency to version 4.0.4 using npm audit fix, resolving a critical security vulnerability identified as CVE-2025-7783.

Vulnerability Summary:
form-data previously used Math.random() to generate boundary values for multipart form-encoded data. Because Math.random() is a pseudo-random number generator, it can be predicted if an attacker:

Can observe outputs of Math.random() in the application (e.g., via request headers), and

Can control at least one field in a form-data request.

This predictability allows an attacker to guess the multipart boundary, enabling them to inject additional fields or override values in downstream requests, leading to potential manipulation of internal services.

Affected Package:
Package: form-data

Vulnerable Versions: < 2.5.4

Fixed Version: >= 2.5.4 (current version after fix: 4.0.4)

Resolution:
This PR brings in the fix by allowing npm audit fix to bump the form-data version to 4.0.4, which no longer uses Math.random() and includes proper randomization for multipart boundaries.

Related issue:
dependabot alert #39
dependabot alert #40

Copilot AI review requested due to automatic review settings July 30, 2025 06:30
@gowridurgad gowridurgad requested a review from a team as a code owner July 30, 2025 06:30
Copilot AI reviewed Jul 30, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR upgrades the form-data dependency to version 4.0.4 to address CVE-2025-7783, a critical security vulnerability where form-data used Math.random() for boundary generation, allowing potential boundary prediction and request manipulation attacks.

  • Updates form-data from version 4.0.0 to 4.0.4 and from 2.5.1 to 2.5.5
  • Adds new license files for dependencies introduced by the form-data upgrade
  • Updates existing license files for minor version bumps of indirect dependencies

Reviewed Changes

Copilot reviewed 18 out of 21 changed files in this pull request and generated no comments.

File Description
.licenses/npm/form-data-4.0.4.dep.yml Updates form-data license from version 4.0.0 to 4.0.4 and fixes README reference
.licenses/npm/form-data-2.5.5.dep.yml Updates form-data license from version 2.5.1 to 2.5.5
.licenses/npm/brace-expansion.dep.yml Updates brace-expansion license from version 1.1.11 to 1.1.12
Multiple new license files Adds license files for new dependencies: safe-buffer, math-intrinsics, hasown, has-tostringtag, has-symbols, gopd, get-proto, get-intrinsic, function-bind, es-set-tostringtag, es-object-atoms, es-errors, es-define-property, dunder-proto, call-bind-apply-helpers

@HarithaVattikuti HarithaVattikuti merged commit 87c6e11 into actions:main Jul 30, 2025
106 checks passed
This was referenced Sep 8, 2025
Open
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@HarithaVattikuti HarithaVattikuti HarithaVattikuti approved these changes

@aparnajyothi-y aparnajyothi-y aparnajyothi-y approved these changes

@lmvysakh lmvysakh lmvysakh approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gowridurgad @HarithaVattikuti @aparnajyothi-y @lmvysakh