CVE-2025-7783

CRITICAL

form-data <2.5.4, 3.0.0-3.0.3, 4.0.0-4.0.3 - HPP

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-7783. PoCs published by benweissmann.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-7783, which leverages predictable randomness in form-data boundary generation to manipulate requests. The exploit uses a Z3 solver to predict the next random value and injects an 'is_admin: true' parameter into a form-data request.

Description

Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

Exploits (1)

nomisec WORKING POC 29 stars
by benweissmann · poc
https://github.com/benweissmann/CVE-2025-7783-poc

This repository contains a functional exploit for CVE-2025-7783, which leverages predictable randomness in form-data boundary generation to manipulate requests. The exploit uses a Z3 solver to predict the next random value and injects an 'is_admin: true' parameter into a form-data request.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Complex
Reliability
Reliable
Target: Node.js applications using form-data with predictable randomness
No auth needed
Prerequisites: Node.js environment · Python3 with Z3 solver · Access to vulnerable server
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v4 9.4
EPSS 0.0132
EPSS Percentile 80.4%
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-330
Status published
Products (1)
npm/form-data 0 - 2.5.4npm
Published Jul 18, 2025
Tracked Since Feb 18, 2026