CVE-2025-7783 PoC — Usage of unsafe random function in form-data for choosing boundary

Source

https://github.com/benweissmann/CVE-2025-7783-poc

Associated Vulnerability

Title:Usage of unsafe random function in form-data for choosing boundary (CVE-2025-7783)
Description:Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.

Description

POC of CVE-2025-7783

Readme

# form-data boundary randomness vulnerability (CVE-2025-7783)

Largely based on https://hackerone.com/reports/2913312 by https://hackerone.com/parrot409?type=user

Installing:
- `npm install`
- Make sure you have `python3` installed with the `z3` module (`pip3 install -r requirements.txt`) -- the exploit code shells out to `python3` to predict the next random value

Running:

In parallel, run:
- `npm run start-backend` (the backend server that will receive the manipulated request)
- `npm run start-vulnerable-server` (the frontend server that can be tricked into sending a manipulated request)
- `npm run exploit` (the client code that crafts and sends the exploit)

In the stdout of `npm run backend`, you should see a request with `is_admin: true` (despite the code in `vulnerable-server.js` never intending to add an is_admin parameter to the API call)

File Snapshot


 [4.0K]  /data/pocs/3a7dcb33419053e6d0b487e89a499defc7a18dee
├── [ 367]  backend.js
├── [1.9K]  exploit.js
├── [ 416]  package.json
├── [ 38K]  package-lock.json
├── [1.1K]  predict.py
├── [ 861]  README.md
├── [  38]  requirements.txt
└── [ 725]  vulnerable-server.js

0 directories, 8 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!