Skip to content

Security: Fix CVE-2025-7783 (form-data Critical Vulnerability)#26

Closed
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2025-7783-form-data-attempt-1
Closed

Security: Fix CVE-2025-7783 (form-data Critical Vulnerability)#26
vmrh21 wants to merge 1 commit intotest/workflow-cve-41174from
fix/cve-2025-7783-form-data-attempt-1

Conversation

@vmrh21
Copy link
Copy Markdown
Owner

@vmrh21 vmrh21 commented Feb 26, 2026

Date: 2026-02-26

Summary

This PR fixes CVE-2025-7783 by adding npm override for form-data ^4.0.5. This forces all transitive dependencies to use the patched version, resolving a critical unsafe random function vulnerability in multipart/form-data boundary selection.

CVE Details

  • CVE ID: CVE-2025-7783
  • Package: form-data
  • Severity: Critical (CVSS 9.1)
  • Impact: Unsafe random function for boundary selection in multipart/form-data
  • Vulnerable versions: < 4.0.5
  • Fixed version: 4.0.5
  • Jira Issues: RHOAIENG-30545, RHOAIENG-30546, RHOAIENG-30548

Fix Method

Used npm overrides field (recommended approach for this monorepo):

{
  "overrides": {
    "form-data": "^4.0.5"
  }
}

Files Changed (4 total)

  • package.json (added overrides)
  • package-lock.json
  • backend/package-lock.json
  • frontend/package-lock.json

Test Results ✅

Status: All tests passed
Test command: npm test
Duration: 11.8s

Test Summary
  • Test Suites: 4 passed, 4 total
  • Tests: 30 passed, 30 total
  • Backend: PASSED
  • Frontend: PASSED (lint + jest + type-check)

Breaking Changes

Low Risk - form-data 4.x has minor API changes from 3.x, but most code is compatible. No code changes were required for this repository.

Verification

Before:

form-data@3.0.1 (vulnerable)

After:

form-data@4.0.5 overridden
CVE-2025-7783 no longer in npm audit

Testing Checklist

  • Pre-PR automated tests executed and passed
  • Verified form-data@4.0.5 with npm list form-data
  • Verified CVE resolved with npm audit
  • All monorepo lock files updated (root, backend, frontend)
  • Verify multipart form uploads work correctly
  • Test file upload functionality

Risk Assessment

Category Risk Level Notes
Breaking Changes Low Minor API changes, no code changes required
Dependency Conflicts Low No conflicts detected
Rollback Complexity Low Simple revert

🤖 Generated by CVE Fixer Workflow

@claude
Fix CVE-2025-7783: form-data Unsafe Random Function
770ca23 
- Add npm override for form-data ^4.0.5 to fix CVE-2025-7783
- Update all lock files in monorepo (root, backend, frontend)
- Resolves RHOAIENG-30545, RHOAIENG-30546, RHOAIENG-30548

CVE Details:
- CVE ID: CVE-2025-7783
- Package: form-data
- Severity: Critical (CVSS 9.1)
- Impact: Unsafe random function for boundary selection in multipart/form-data
- Vulnerable versions: < 4.0.5
- Fixed version: 4.0.5

Files Changed (4 total):
- package.json (added overrides)
- package-lock.json
- backend/package-lock.json
- frontend/package-lock.json

Breaking Changes:
- Minor API changes from 3.x to 4.x, but no code changes required

Testing:
- Verified form-data@4.0.5 via npm list
- Confirmed CVE no longer in npm audit
- All automated tests passed (4 suites, 30 tests)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@vmrh21
Copy link
Copy Markdown
Owner Author

vmrh21 commented Feb 26, 2026

Closing for fresh test run

@vmrh21 vmrh21 closed this Feb 26, 2026
@vmrh21 vmrh21 deleted the fix/cve-2025-7783-form-data-attempt-1 branch February 26, 2026 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vmrh21