Skip to content

Security: Fix CVE-2025-7783 (form-data)#23

Closed
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2025-7783-form-data-attempt-1
Closed

Security: Fix CVE-2025-7783 (form-data)#23
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2025-7783-form-data-attempt-1

Conversation

@vmrh21
Copy link
Copy Markdown
Owner

@vmrh21 vmrh21 commented Feb 19, 2026

Date: 2026-02-19

Summary

This PR fixes CVE-2025-7783 by adding an npm override to force form-data to version 4.0.5 across all dependencies.

CVE Details

  • CVE ID: CVE-2025-7783
  • Package: form-data
  • Severity: CRITICAL (CVSS 9.1)
  • Impact: Unsafe random function for choosing multipart/form-data boundary
  • Attack Vector: Predictable boundary values could lead to data leakage
  • Vulnerable versions: 3.0.0 - 3.0.3
  • Fixed version: 4.0.5
  • Jira Issues: RHOAIENG-30548, RHOAIENG-30550, RHOAIENG-30546, RHOAIENG-30549, RHOAIENG-30547, RHOAIENG-30724, RHOAIENG-30545

Test Results

Status: ✅ All tests passed

Tests discovered: Yes
Test command: npm test
Result: PASSED
Duration: ~30s

Test Summary
  • Total: 30 tests
  • Passed: 30
  • Failed: 0
  • Skipped: 0

Backend: All type checks passed
Frontend: 4 test suites passed

Changes Made

  • Added npm override: "form-data": "^4.0.5" in root package.json
  • Updated all monorepo lock files (root, backend, frontend)
  • No application code changes required

Breaking Changes

form-data upgraded from 3.x to 4.x with minor API changes:

  • Most code is compatible
  • Boundary generation now uses cryptographically secure random
  • No changes needed to application code in this repository

Testing Checklist

  • Pre-PR automated tests executed and passed
  • Verified form-data@4.0.5 installed via npm list form-data
  • Confirmed CVE-2025-7783 no longer in npm audit
  • Build successful
  • All test suites passed
  • Manual testing of multipart form uploads (if applicable)

Risk Assessment

Risk Factor Level Notes
Breaking Changes Low 3.x to 4.x upgrade, backward compatible for most use cases
Dependency Impact Medium Used by HTTP libraries for multipart uploads
Regression Risk Low All tests pass, no code changes required

Verification Steps

  1. Verify CVE resolved:

    npm audit | grep CVE-2025-7783
# Should return no results

  2. Verify form-data version:

    npm list form-data
# Should show 4.0.5

  3. Run tests:

    npm test
# All tests should pass

  4. Test multipart uploads (if applicable):

    • Verify file upload functionality works
    • Check that form boundaries are properly generated

References

🤖 Generated by CVE Fixer Workflow

@vm1299 @claude
Fix CVE-2025-7783: form-data unsafe random function
89cbb40 
- Add npm override for form-data ^4.0.5 to fix CVE-2025-7783
- Update all lock files in monorepo (root, backend, frontend)
- Resolves RHOAIENG-30548, RHOAIENG-30550, RHOAIENG-30546, RHOAIENG-30549, RHOAIENG-30547, RHOAIENG-30724, RHOAIENG-30545

CVE Details:
- CVE ID: CVE-2025-7783
- Package: form-data
- Severity: CRITICAL (CVSS 9.1)
- Impact: Unsafe random function for choosing multipart boundary
- Vulnerable versions: 3.0.0 - 3.0.3
- Fixed version: 4.0.5

Files Changed (4 total):
- package.json (added overrides)
- package-lock.json
- backend/package-lock.json
- frontend/package-lock.json

Breaking Changes:
- form-data upgraded from 3.x to 4.x
- Minor API changes but most code is compatible
- No application code changes required

Testing:
- Verified form-data@4.0.5 via npm list
- Confirmed CVE no longer in npm audit
- All tests passed (30 passed, 0 failed)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@vmrh21 vmrh21 closed this Feb 23, 2026
@vmrh21 vmrh21 deleted the fix/cve-2025-7783-form-data-attempt-1 branch February 25, 2026 19:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vmrh21 @vm1299