build(cypress): remediate GHSA-fjxv-7rqg-78g4 by pinning transitive form-data#17717
Closed
Copilot wants to merge 3 commits into
Closed
build(cypress): remediate GHSA-fjxv-7rqg-78g4 by pinning transitive form-data#17717Copilot wants to merge 3 commits into
Copilot wants to merge 3 commits into
Conversation
Agent-Logs-Url: https://github.com/rancher/dashboard/sessions/b419432b-8f36-4205-9a44-9fb015d41af5 Co-authored-by: mantis-toboggan-md <42977925+mantis-toboggan-md@users.noreply.github.com>
Agent-Logs-Url: https://github.com/rancher/dashboard/sessions/b419432b-8f36-4205-9a44-9fb015d41af5 Co-authored-by: mantis-toboggan-md <42977925+mantis-toboggan-md@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix vulnerability in form-data boundary selection
build(cypress): remediate GHSA-fjxv-7rqg-78g4 by pinning transitive form-data
May 18, 2026
Member
|
@mantis-toboggan-md This may not be needed if we bump Cypress via this PR: #17710 |
Member
|
Ah good call -- double checked the yarn.lock files in that PR and all reference at least form-data 2.5.5 so this CVE will be covered. Given that I'll close this PR |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Dependabot flagged CVE-2025-7783 / GHSA-fjxv-7rqg-78g4 in
cypress/yarn.lock, whereform-data@2.3.3was present via transitive resolution. This PR updates Cypress dependency resolution to a patched line and removes the vulnerable lockfile resolution with minimal scope.Occurred changes and/or fixed issues
/cypress/package.jsonto pin:form-data→4.0.5/cypress/yarn.lockusing Yarn tooling.form-data@~2.3.2now resolves to4.0.5; vulnerable2.3.3resolution is no longer present.Technical notes summary
form-dataimports and explicit multipart construction patterns (new FormData,multipart/form-data,form: true) in repository-authored code; none found.cy.request(...)) in this repo is JSON-body oriented; exposure appears primarily transitive through Cypress internals, not explicit local multipart assembly.{ "resolutions": { "axios": "1.13.5", "form-data": "4.0.5" } }Areas or cases that should be tested
cy.request(...), especially API helper commands incypress/support/commands/rancher-api-commands.ts.cypress/package context.Areas which could experience regressions
form-data2.x.form-datasemantics under@cypress/request.Screenshot/Video
N/A (dependency/lockfile-only change)
Checklist
Admin,Standard UserandUser BaseWarning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
download.cypress.io/usr/local/bin/node /usr/local/bin/node index.js --exec install(dns block)If you need me to access, download, or install something from one of these locations, you can either:
Original prompt
This section details the Dependabot vulnerability alert you should resolve
<alert_title>form-data uses unsafe random function in form-data for choosing boundary</alert_title>
<alert_description>### Summary
form-data uses
Math.random()to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker:Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request.
This is largely the same vulnerability as was recently found in
undicibyparrot409-- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work.Details
The culprit is this line here: https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347
An attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a
x-request-idheader added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend.Math.random()is a fine place to get these sorts of IDs (in fact, opentelemetry uses Math.random for this purpose)PoC
PoC here: https://github.com/benweissmann/CVE-2025-7783-poc
Instructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID).
Impact
For an application to be vulnerable, it must:
form-datato send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array)If an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.</alert_description>
critical
https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4 https://nvd.nist.gov/vuln/detail/CVE-2025-7783 https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0 https://github.com/benweissmann/CVE-2025-7783-poc https://lists.debian.org/debian-lts-announce/2025/07/msg00023.html https://github.com/advisories/GHSA-fjxv-7rqg-78g4GHSA-fjxv-7rqg-78g4, CVE-2025-7783
form-data
npm
<vulnerable_versions>2.3.3</vulnerable_versions>
<patched_version>2.5.4</patched_version>
<manifest_path>cypress/yarn.lock</manifest_path>
<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachabil...