CVE-2025-7783 PoC — form-data 安全漏洞

Source

https://github.com/benweissmann/CVE-2025-7783-poc

Associated Vulnerability

Title:form-data 安全漏洞 (CVE-2025-7783)
Description:Form-Data是FormData开源的一个用于创建可读的表单数据流的模块。可用于向其他web应用程序提交表单和文件上传。 form-data 2.5.4之前版本、3.0.0至3.0.3版本和4.0.0至4.0.3版本存在安全漏洞，该漏洞源于随机性不足，可能导致HTTP参数污染攻击。

Description

POC of CVE-2025-7783

Readme

# form-data boundary randomness vulnerability (CVE-2025-7783)

Largely based on https://hackerone.com/reports/2913312 by https://hackerone.com/parrot409?type=user

Installing:
- `npm install`
- Make sure you have `python3` installed with the `z3` module (`pip3 install -r requirements.txt`) -- the exploit code shells out to `python3` to predict the next random value

Running:

In parallel, run:
- `npm run start-backend` (the backend server that will receive the manipulated request)
- `npm run start-vulnerable-server` (the frontend server that can be tricked into sending a manipulated request)
- `npm run exploit` (the client code that crafts and sends the exploit)

In the stdout of `npm run backend`, you should see a request with `is_admin: true` (despite the code in `vulnerable-server.js` never intending to add an is_admin parameter to the API call)

File Snapshot


 [4.0K]  /data/pocs/3a7dcb33419053e6d0b487e89a499defc7a18dee
├── [ 367]  backend.js
├── [1.9K]  exploit.js
├── [ 416]  package.json
├── [ 38K]  package-lock.json
├── [1.1K]  predict.py
├── [ 861]  README.md
├── [  38]  requirements.txt
└── [ 725]  vulnerable-server.js

0 directories, 8 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!