A vulnerability has been detected in a form-data library on npm. With the identifier CVE-2025-7783, this vulnerability affects millions of web applications and APIs using JavaScript/Node.js globally, especially in backend systems, microservices and serverless.

​

The root cause comes from an insecure “boundary” generation in the “form_data.js” file, line 347:

boundary += Math.floor(Math.random() * 10).toString(16);

Click to expand…

This will create a boundary line between the data pieces in the multipart/form-data form. The problem is that Math.random () is not random enough, it’s just a pseudorandom number generator (PRNG), so if the hacker observes some of the values generated from Math. random (), they can predict the next values, including the boundary.

How does the breach work?

1. The app uses form-data to send user data as ” multipart/form-data ” (e. g., photos, registration forms, attachments, etc.).
2. At the same time, the application accidentally reveals the Math.random() value, such as via a header such as ” x-request-id “, ” trace-id, ” or debug log.
3. The hacker observes these values, and calculates the internal state of the RNG.
4. They use it to predict the boundary sequence in subsequent submissions.
5. Then, create a malicious packet containing the correct boundary, add rogue parameters, inject malicious data into the internal system, and even illegally access backend APIs.

Extent of danger and scope of influence

• Severity: “Critical” on CVSS v4 scale.
• Overwhelming influence: The versions affected include:
  • Under 2.5.4
  • 3.0.0 to 3.3
  • 4.0.0 to 4.1.3
• Exploitation conditions are not too complicated if the application reveals random values.

This error is similar to a recent problem in the Undici library, suggesting that this is not an isolated case but rather a common error trend in the use of Math.random() in JavaScript.

Recommended solutions for users:

• Immediately update form – data packages on patched copies:
  • 4.0.4, 3.0,4 or 2.5.4
• Replace Math.random () with a secure random number generator, such as crypto.r RandomUUID () or crypto. randomBytes () in Node.js.
• Check the entire codebase to find and replace pieces of code using Math.random () in security functions (such as token, ID, authentication, etc.).
• Avoid disclosing internal information (such as a header containing trace id) if using PRNG.

The CVE-2025-7783 bug again sounded a wake-up call to developers. As systems become more interconnected and complex, vulnerabilities as small as a single line of Math.random (), can also become “backdoor” for hackers to enter. Don’t let small details cost the system, security is never a chore.