fix: resolve CVE-2025-7783 by pinning form-data ≥ 2.5.4 via pnpm override#1981
Conversation
Add form-data>=2.5.4 override to pnpm-workspace.yaml to force the vulnerable form-data@2.5.3 (CVE-2025-7783) out of the dependency graph. Also migrate the existing pnpm overrides from the deprecated package.json pnpm.overrides field to the correct pnpm v10 location in pnpm-workspace.yaml. The vulnerable version was pulled in as a transitive dependency: @google-cloud/storage -> retry-request -> @types/request -> form-data@2.5.3"
|
@copilot why did you remove submodules from pnpm-lock.yaml file? |
… patch Restore the original pnpm-lock.yaml and apply only the targeted changes needed to resolve CVE-2025-7783: - Remove form-data@2.5.3 from packages and snapshots sections - Update @types/request@2.48.12 snapshot to use form-data@4.0.2 The previous commit erroneously ran `pnpm install` in an environment where git submodules were not checked out, causing all submodule importer dependency data to be wiped to empty {}.
The submodule data was inadvertently wiped because the previous commit ran Fixed in the latest commit by restoring the original lockfile and applying only the three minimal surgical changes needed for the CVE:
All submodule importer dependency data is now preserved. |
There was a problem hiding this comment.
Pull request overview
This PR addresses CVE-2025-7783 / GHSA-fjxv-7rqg-78g4 by ensuring the vulnerable form-data@2.5.3 no longer appears in the resolved dependency graph, using pnpm workspace-level overrides and updating the lockfile accordingly.
Changes:
- Added a workspace-level
overridesblock to enforceform-data >= 2.5.4(and to carry existing overrides at the workspace level). - Updated
pnpm-lock.yamlsoform-data@2.5.3is removed and@types/request@2.48.12resolvesform-data@4.0.2.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| pnpm-workspace.yaml | Adds workspace-level pnpm overrides, including the non-vulnerable form-data constraint. |
| pnpm-lock.yaml | Removes form-data@2.5.3 and updates snapshots to non-vulnerable form-data versions. |
Files not reviewed (1)
- pnpm-lock.yaml: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@copilot tests are failing |
Fixed in the latest commit. The lockfile's |
form-data@2.5.3usesMath.random()for multipart boundary generation, making boundaries predictable to an attacker who can observe otherMath.random()outputs — enabling parameter injection (CVE-2025-7783, GHSA-fjxv-7rqg-78g4, critical).Changes
pnpm-workspace.yaml— Addedoverridessection (correct location for pnpm v10;package.jsonpnpmfield is silently ignored since v10) withform-data: '>=2.5.4'plus the three pre-existing overrides migrated frompackage.jsonpackage.json— Removed the now-duplicatepnpm.overridesblock;pnpm-workspace.yamlis the single source of truth for overridespnpm-lock.yaml—overridessection updated to includeform-data: '>=2.5.4';form-data@2.5.3fully removed;@types/request@2.48.12now resolves toform-data@4.0.2Dependency chain
Reachability
Not reachable at runtime (high confidence). The vulnerable package is pulled in solely by
@types/request, a DefinitelyTyped package containing only.d.tsfiles —form-data's boundary-generation code is never executed. The override is primarily to clear the scanner alert and harden the transitive graph.Original prompt
This section details the Dependabot vulnerability alert you should resolve
<alert_title>form-data uses unsafe random function in form-data for choosing boundary</alert_title>
<alert_description>### Summary
form-data uses
Math.random()to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker:Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request.
This is largely the same vulnerability as was recently found in
undicibyparrot409-- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work.Details
The culprit is this line here: https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347
An attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a
x-request-idheader added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend.Math.random()is a fine place to get these sorts of IDs (in fact, opentelemetry uses Math.random for this purpose)PoC
PoC here: https://github.com/benweissmann/CVE-2025-7783-poc
Instructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID).
Impact
For an application to be vulnerable, it must:
form-datato send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array)If an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.</alert_description>
critical
https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4 https://nvd.nist.gov/vuln/detail/CVE-2025-7783 https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0 https://github.com/benweissmann/CVE-2025-7783-poc https://lists.debian.org/debian-lts-announce/2025/07/msg00023.html https://github.com/advisories/GHSA-fjxv-7rqg-78g4GHSA-fjxv-7rqg-78g4, CVE-2025-7783
form-data
npm
<vulnerable_versions>2.5.3</vulnerable_versions>
<patched_version>2.5.4</patched_version>
<manifest_path>pnpm-lock.yaml</manifest_path>
<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachability...