Skip to content

Fix Critical Security Vulnerability in form-data Dependency #6645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 23, 2025
Merged

Fix Critical Security Vulnerability in form-data Dependency #6645

merged 1 commit into from
Jul 23, 2025

Conversation

izzygld
Copy link
Contributor

@izzygld izzygld commented Jul 23, 2025

Description

This PR addresses a critical vulnerability reported by Snyk in the form-data package, which is a transitive dependency of axios@1.10.0.

Vulnerability: Predictable Value Range from Previous Values (CVE-2025-7783)
Severity: Critical (CVSS 9.4)
Introduced via: axios@1.10.0 > form-data@4.0.0
Remediation: Upgrade form-data to 4.0.4 or higher.

This vulnerability stems from form-data's use of Math.random() for HTTP multipart boundary generation, which allows for predictability and potential exploitation via parameter pollution attacks.

What has been done

  • Ensured form-data is updated to ^4.0.4, which includes the upstream fix.
  • Reviewed dependency tree to confirm no remaining vulnerable paths.
  • Confirmed with snyk test:

✅ Screenshot from Snyk:
✔ Tested 57 dependencies for known issues, no vulnerable paths found.

Tested 104 dependencies for known issues, found 1 issue, 1 vulnerable path.

✗ Predictable Value Range from Previous Values [Critical Severity]
https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150
in form-data@4.0.0 via axios@1.10.0 > form-data@4.0.0

This issue was fixed in versions: 2.5.4, 3.0.4, 4.0.4

Notes

  • Please ensure your local installation pulls the correct patched version if you are testing manually.
  • No breaking changes introduced.
  • Follows Laravel contribution guidelines and commit structure.
screencapture-security-snyk-io-vuln-SNYK-JS-FORMDATA-10841150-2025-07-21-10_25_17

GrahamCampbell
GrahamCampbell requested changes Jul 23, 2025
View reviewed changes
Copy link
Member

@GrahamCampbell GrahamCampbell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't fix anything. "axios": "^1.8.2" already resolves to the latest 1.x version.

@izzygld
Copy link
Contributor Author

izzygld commented Jul 23, 2025

While "axios": "^1.8.2" can resolve to the latest 1.x version, in practice many users are still locked to earlier versions via lockfiles or CI environments. Since the fix for the vulnerable form-data@4.0.0 was only introduced in Axios 1.11.0, I believe it’s important to explicitly set that as the minimum required version to ensure users are protected from CVE-2025-7783.

Setting the version floor helps avoid silently continuing to install a vulnerable transitive dependency.

@taylorotwell taylorotwell merged commit efc90e2 into laravel:12.x Jul 23, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GrahamCampbell GrahamCampbell GrahamCampbell requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@izzygld @GrahamCampbell @taylorotwell