Bump form-data to bring in fix for critical vulnerability by gowridurgad · Pull Request #652 · actions/setup-dotnet (original) (raw)

This PR upgrades the form-data dependency to version 4.0.4 using npm audit fix, resolving a critical security vulnerability identified as CVE-2025-7783.

Vulnerability Summary:
form-data previously used Math.random() to generate boundary values for multipart form-encoded data. Because Math.random() is a pseudo-random number generator, it can be predicted if an attacker:

Can observe outputs of Math.random() in the application (e.g., via request headers), and

Can control at least one field in a form-data request.

This predictability allows an attacker to guess the multipart boundary, enabling them to inject additional fields or override values in downstream requests, leading to potential manipulation of internal services.

Affected Package:
Package: form-data

Vulnerable Versions: < 2.5.4

Fixed Version: >= 2.5.4 (current version after fix: 4.0.4)

Resolution:
This PR brings in the fix by allowing npm audit fix to bump the form-data version to 4.0.4, which no longer uses Math.random() and includes proper randomization for multipart boundaries.

Related issue:
dependabot alert #39
dependabot alert #40