CVE-2025-7783 (High) detected in form-data-4.0.0.tgz #364
Description
CVE-2025-7783 - High Severity Vulnerability
Vulnerable Library - form-data-4.0.0.tgz
A library to create readable "multipart/form-data" streams. Can be used to submit forms and file uploads to other web applications.
Library home page: https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz
Path to dependency file: /aspnetcore/src/DbLocalizationProvider.AdminUI.AspNetCore/package.json
Path to vulnerable library: /aspnetcore/src/DbLocalizationProvider.AdminUI.AspNetCore/node_modules/form-data/package.json
Dependency Hierarchy:
- axios-1.6.2.tgz (Root Library)
- ❌ form-data-4.0.0.tgz (Vulnerable Library)
Found in HEAD commit: 0cbb84012dd1a64bfd0c69be7f10d520649195d1
Found in base branch: master
Vulnerability Details
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-18
URL: CVE-2025-7783
CVSS 3 Score Details (8.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-fjxv-7rqg-78g4
Release Date: 2025-07-18
Fix Resolution (form-data): 4.0.4
Direct dependency fix Resolution (axios): 1.6.3
Step up your Open Source Security Game with Mend here