关联漏洞
标题:
form-data 安全漏洞
(CVE-2025-7783)
描述:Form-Data是FormData开源的一个用于创建可读的表单数据流的模块。可用于向其他web应用程序提交表单和文件上传。 form-data 2.5.4之前版本、3.0.0至3.0.3版本和4.0.0至4.0.3版本存在安全漏洞,该漏洞源于随机性不足,可能导致HTTP参数污染攻击。
描述
POC of CVE-2025-7783
介绍
# form-data boundary randomness vulnerability (CVE-2025-7783)
Largely based on https://hackerone.com/reports/2913312 by https://hackerone.com/parrot409?type=user
Installing:
- `npm install`
- Make sure you have `python3` installed with the `z3` module (`pip3 install -r requirements.txt`) -- the exploit code shells out to `python3` to predict the next random value
Running:
In parallel, run:
- `npm run start-backend` (the backend server that will receive the manipulated request)
- `npm run start-vulnerable-server` (the frontend server that can be tricked into sending a manipulated request)
- `npm run exploit` (the client code that crafts and sends the exploit)
In the stdout of `npm run backend`, you should see a request with `is_admin: true` (despite the code in `vulnerable-server.js` never intending to add an is_admin parameter to the API call)
文件快照
[4.0K] /data/pocs/3a7dcb33419053e6d0b487e89a499defc7a18dee
├── [ 367] backend.js
├── [1.9K] exploit.js
├── [ 416] package.json
├── [ 38K] package-lock.json
├── [1.1K] predict.py
├── [ 861] README.md
├── [ 38] requirements.txt
└── [ 725] vulnerable-server.js
0 directories, 8 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。