CVE Details
Basic Information
| Title | Usage of unsafe random function in form-data for choosing boundary |
|---|---|
| Type | cve |
| Published | 2025-07-18T16:34:44.889Z |
| Modified | 2025-07-18T16:34:44.889Z |
Product Information
| Version | 4.0.0 – 4.0.3 |
|---|
CVSS Information
| Base Score | 9.4 (CRITICAL) |
|---|---|
| Attack Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N |
AI Analysis
| AI Description | A vulnerability in the form-data library allows HTTP Parameter Pollution due to insufficiently random boundary generation in versions prior to 2.5.4, 3.0.4, and 4.0.4. |
|---|---|
| AI Severity | High |
| AI Vendor | JavaScript Community |
| AI Product | form-data |
| AI Version | 2.5.4, 3.0.3, 4.0.3 |
Affected Products
- < 2.5.4
- 3.0.0 – 3.0.3
- 4.0.0 – 4.0.3
Additional Information
| CWE List | CWE-330 |
|---|---|
| Source | harborist |
Description
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.