-
Epic
-
Resolution: Unresolved
-
Major
-
None
-
None
-
CVE-2025-7783: Unsafe random function in form-data
-
Security & Compliance
-
False
-
False
-
In Progress
-
57% To Do, 14% In Progress, 29% Done
-
-
-
(11/24) "Update jest-environment-jsdom" Draft PR is up https://github.com/RedHatInsights/uhc-portal/pull/252
Original Description:
Security Tracking Issue
Do not make this issue public.
Flaw:
Unsafe random function in form-data
Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js.
This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
~~~
The short term fix to address the CVE was to implement resolutions override in package.json:
"resolutions": { ... ... "form-data": "^4.0.4" }
Note: as the dependencies below are updated, the resolutions overrides above ^^, should be made more specific!
The form-data resolution above must be deleted when all the mentioned dependencies below are updated!
Longer term the following dependencies need to be updated to properly handle the CVE:
| Package | Current Version | Current form-data | Latest Version | Latest form-data | CVE Status |
|---|---|---|---|---|---|
| axios | 1.7.4 | 4.0.0  |
1.11.0 | 4.0.4  |
Latest: FIXED |
| Cypress | 13.17.0 | 4.0.0 |
14.5.3 | 4.0.4 |
Latest: FIXED |
| jest-environment-jsdom | 29.7.0 | 4.0.0 |
30.0.5 | None |
Latest: No dependency |