Lookup for vulnerabilities affecting packages.
| Vulnerability_id | VCID-xkyu-r89g-ckec |
|---|
| Summary | Withdrawn Advisory: Axios has Transitive Critical Vulnerability via form-data
### Withdrawn Advisory
This advisory has been withdrawn because users of Axios 1.10.0 have the flexibility to use a patched version of form-data, the software in which the vulnerability originates, without upgrading Axios to address GHSA-fjxv-7rqg-78g4.
### Original Description
A critical vulnerability exists in the form-data package used by `axios@1.10.0`. The issue allows an attacker to predict multipart boundary values generated using `Math.random()`, opening the door to HTTP parameter pollution or injection attacks.
This was submitted in [issue #6969](https://github.com/axios/axios/issues/6969) and addressed in [pull request #6970](https://github.com/axios/axios/pull/6970).
### Details
The vulnerable package `form-data@4.0.0` is used by `axios@1.10.0` as a transitive dependency. It uses non-secure, deterministic randomness (`Math.random()`) to generate multipart boundary strings.
This flaw is tracked under [Snyk Advisory SNYK-JS-FORMDATA-10841150](https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150) and [CVE-2025-7783](https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150).
Affected `form-data` versions:
- <2.5.4
- >=3.0.0 <3.0.4
- >=4.0.0 <4.0.4
Since `axios@1.10.0` pulls in `form-data@4.0.0`, it is exposed to this issue.
### PoC
1. Install Axios: - `npm install axios@1.10.0`
2.Run `snyk test`:
```
Tested 104 dependencies for known issues, found 1 issue, 1 vulnerable path.
✗ Predictable Value Range from Previous Values [Critical Severity]
in form-data@4.0.0 via axios@1.10.0 > form-data@4.0.0
```
3. Trigger a multipart/form-data request. Observe the boundary header uses predictable random values, which could be exploited in a targeted environment.
### Impact
- **Vulnerability Type**: Predictable Value / HTTP Parameter Pollution
- **Risk**: Critical (CVSS 9.4)
- **Impacted Users**: Any application using axios@1.10.0 to submit multipart form-data
This could potentially allow attackers to:
- Interfere with multipart request parsing
- Inject unintended parameters
- Exploit backend deserialization logic depending on content boundaries
### Related Links
[GitHub Issue #6969](https://github.com/axios/axios/issues/6969)
[Pull Request #xxxx](https://github.com/axios/axios/pull/xxxx) (replace with actual link)
[Snyk Advisory](https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150)
[form-data on npm](https://www.npmjs.com/package/form-data) |
|---|
| Aliases |
| 0 |
|
| 1 |
| alias |
GHSA-rm8p-cx58-hcvx |
|
|
|---|
| Fixed_packages |
|
|---|
| Affected_packages |
|
|---|
| References |
|
|---|
| Weaknesses |
| 0 |
| cwe_id |
937 |
| name |
OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities |
| description |
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013. |
|
| 1 |
| cwe_id |
1035 |
| name |
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities |
| description |
Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017. |
|
|
|---|
| Exploits |
|
|---|
| Severity_range_score | 7.0 - 8.9 |
|---|
| Exploitability | 0.5 |
|---|
| Weighted_severity | 8.0 |
|---|
| Risk_score | 4.0 |
|---|
| Resource_url | http://public2.vulnerablecode.io/vulnerabilities/VCID-xkyu-r89g-ckec |
|---|