Critical vulnerability CVE-2025-7783 using form-data 4.0.0 - 4.0.3 (existing project)

[MikeMcC399]

• follows on from Critical vulnerability CVE-2025-7783 using form-data 4.0.1 & 4.0.3 #32066

Current behavior

In a Cypress project that uses a package manager lock file and that was installed / set up prior to the release of form-data@4.0.4 on Jul 14, 2025, security scanners such as:

• npm audit
• GitHub Dependabot
• Snyk

may report a critical vulnerability CVE-2025-7783 for form-data versions 4.0.0 - 4.0.3.

Desired behavior

Installing a new version of Cypress should ensure that a minimum non-vulnerable version of form-data is installed. This is currently form-data@4.0.4.

Test code to reproduce

git clone https://github.com/cypress-io/github-action
cd github-action
git checkout 9127352d1d0b96f87cb01cb59dc61816af1f0c4d
cd examples/basic
npm ci
npm audit

Note the warning:

form-data 4.0.0 - 4.0.3
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - GHSA-fjxv-7rqg-78g4

Install beta version Cypress 14.5.3

npm install https://cdn.cypress.io/beta/npm/14.5.3/linux-x64/develop-7fede2be00a2840a69c13ac0f5cc9e20f71916a1/cypress.tgz
npm audit

Note that the vulnerability has not been eliminated and there is still "1 critical severity vulnerability" reported.

Cypress Version

14.5.2

Node version

v22.17.1 LTS

Operating System

Ubuntu 24.04.2 LTS

Debug Logs

# npm audit report

form-data  4.0.0 - 4.0.3
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix`
node_modules/form-data

1 critical severity vulnerability

To address all issues, run:
  npm audit fix

$ npm ls form-data
example-basic@1.0.0 
└─┬ cypress@14.5.2
  └─┬ @cypress/request@3.0.8
    └── form-data@4.0.2

Other

Workaround

npm audit fix

Continuing from the above steps:

git restore .
git clean -xfd
npm ci
npm audit fix

or

npm update --save

Recommendation

• Merge PR fix: update patch version of form-data to address new critical Snyk vulnerability request#88 despite CI failure

• bump version of @cypress/request usage in all Cypress package.json files (by Renovate or manually)

• Prioritize issue Replace @cypress/request #29775 since the repo @cypress/request is no longer maintainable

[jennifer-shehane]

@MikeMcC399 Thanks for opening this, we'll look into it.

[MikeMcC399]

@cacieprins

Thank you for fixing this issue! I successfully verified the change using a beta build:

Verification

Ubuntu 24.04.2 LTS, Node.js 22.17.1 LTS

git clone https://github.com/cypress-io/github-action
cd github-action
git checkout 9127352d1d0b96f87cb01cb59dc61816af1f0c4d
cd examples/basic
npm ci
npm install https://cdn.cypress.io/beta/npm/14.5.3/linux-x64/develop-7825936902571e96dd213c29acc37b8bc2d3b7ad/cypress.tgz
npm audit

npm audit responds with the following, showing that the vulnerability has been removed:

found 0 vulnerabilities

[cypress-bot]

Released in 14.5.3.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v14.5.3, please open a new issue.