- Package:
- src:node-form-data
- Source:
- src:node-form-data
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2025-08-22 15:35:11 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for node-form-data. CVE-2025-7783[0]: | Use of Insufficiently Random Values vulnerability in form-data | allows HTTP Parameter Pollution (HPP). This vulnerability is | associated with program files lib/form_data.Js. This issue affects | form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-7783 https://www.cve.org/CVERecord?id=CVE-2025-7783 [1] https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4 [2] https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hello, Bug #1109551 in node-form-data reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/js-team/node-form-data/-/commit/cee782f6ff789f389e6ce2f34ae9549d291e85be (this message was generated automatically) -- Greetings https://bugs.debian.org/1109551
We believe that the bug you reported is fixed in the latest version of
node-form-data, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1109551@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-form-data package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 24 Jul 2025 12:45:56 +0200
Source: node-form-data
Architecture: source
Version: 4.0.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1109551
Changes:
node-form-data (4.0.1-2) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.2
* Fix "Insufficiently Random Values vulnerability"
(Closes: #1109551, CVE-2025-778)
* Launch more tests
Checksums-Sha1:
fb61f317f7f41f7a02e3b991c4ae48bf87b8b86c 2158 node-form-data_4.0.1-2.dsc
413bd119449b63d12e5a3cb028280321c426469f 10612 node-form-data_4.0.1-2.debian.tar.xz
Checksums-Sha256:
a4a4149d9734da30e80c354bdc1d6af91160179ab78c7c3b7860b164cf43813e 2158 node-form-data_4.0.1-2.dsc
2fc94fe86cc3195926a236d0b99439cee27f53501f8cccc69b189e41d3f236a9 10612 node-form-data_4.0.1-2.debian.tar.xz
Files:
ab8ba4b78290a01fc819f2f150925003 2158 javascript optional node-form-data_4.0.1-2.dsc
bba956e02ab3ccb8c6052d902a1afea9 10612 javascript optional node-form-data_4.0.1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmiCDz0ACgkQ9tdMp8mZ
7uke+A/9F+fS1VlZxFfYgPUc+rlcbg/WjyRm3JIBi9qxP5QRy2HPBWAnuWFxiKBV
h1YnbWMOUjAZHGethbFkwTmZGA9lSs0e2YXK1elGzgfmk7TkRBKVx47UyXcBhnOs
jOB12dTtOjPKwe1Pavi84wJsv+foo9TQ2P2oG6RES6m2KqQWhfGXe8Glp8ubX3Us
/A2Jetn2fsWp+vnw6PtjjlyRbxGy1X7+HxeBfnzEyUfn0ZD52+WcWAU12eOOq0HZ
INMvRLYiaeu6gyDc2xh0ZNRPJ843NbSXvMbDn9kIkiuj1cggCY4OBNPG61CssBL0
myLBT2wSMsVgb733Cn4RelF10JnR37El0vLTJMZh5zRfN9ldVaI4Px9qFDUex1VS
eqkDGS600bYKhe55gS9U6tOC7TO2/VqUxww+mEYiZEdk7b4kHUamcU4ucVcUlVnP
Tvru+W6UUIbLe5LU/jJG9vrBM72iYQVcSfSibXhT1JWtZG7dPflmZQucie/JLsbe
omaAmFvuzezYshgOWWSI/n0vqpRrMh3ii/aTNg9P/ecokX1MJLFFQn1dPchSPCjY
S9ReqAw2iXt2Zm/XSMTHV/XNpjpjVH4jQf9ICCPKy8gHEct13z7seNLJ1wzYSOB9
BHu50v3e30qZ5ZgYfBVnDsBDGWPXsMfEraqtx8hwz8M+psTeS9o=
=jMEG
-----END PGP SIGNATURE-----
Hi upstream has the fix: https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0 while debian has the fix: https://salsa.debian.org/js-team/node-form-data/-/commit/cee782f6ff789f389e6ce2f34ae9549d291e85be These fixes are different. The CVE fix in debian does not have a 50 character boundary anymore, but a 62 character boundary now. This causes autopkgtest failure in node-superagent: https://ci.debian.net/packages/n/node-superagent/testing/amd64/62420387/, the payload size asserts now fail. This does not allow node-form-data to migrate. Please use the upstream's fix for this CVE instead of crypto.randomUUID() to preserve boundary length and not break other packages. Regards Pragyansh
Hi upstream has the fix: https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0 while debian has the fix: https://salsa.debian.org/js-team/node-form-data/-/commit/cee782f6ff789f389e6ce2f34ae9549d291e85be These fixes are different. The CVE fix in debian does not have a 50 character boundary anymore, but a 62 character boundary now. This causes autopkgtest failure in node-superagent: https://ci.debian.net/packages/n/node-superagent/testing/amd64/62420387/, the payload size asserts now fail. This does not allow node-form-data to migrate. Please use the upstream's fix for this CVE instead of crypto.randomUUID() to preserve boundary length and not break other packages.
Upstream added a dependency instead of using built-in module, applying upstream dependency is impossible for Trixie.
Source: node-form-data Source-Version: 4.0.1-2 As confirmed by Yadd the fix is sufficient for the CVE so closing it again with the given version again. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of
node-form-data, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1109551@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-form-data package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 24 Jul 2025 12:50:50 +0200
Source: node-form-data
Architecture: source
Version: 4.0.0-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1109551
Changes:
node-form-data (4.0.0-1+deb12u1) bookworm; urgency=medium
.
* Team upload
* Fix "Insufficiently Random Values vulnerability"
(Closes: #1109551, CVE-2025-7783)
* Launch more tests
Checksums-Sha1:
39364084b7969fd7c4f706c86def6818e564ab9a 2190 node-form-data_4.0.0-1+deb12u1.dsc
a157faaefc9afc2fdc2fa460c14c5ca1aac5001e 10600 node-form-data_4.0.0-1+deb12u1.debian.tar.xz
Checksums-Sha256:
dbcfad9c3d968b1665636e545bffebc67dfb626f6eb37a2417e9a1a57fa6f055 2190 node-form-data_4.0.0-1+deb12u1.dsc
0cc0540a3ed57798c8184291383bc5398e928f2965d5ac9167c7cdbc362d19f5 10600 node-form-data_4.0.0-1+deb12u1.debian.tar.xz
Files:
1d99586f28ff884afda76799ba09b633 2190 javascript optional node-form-data_4.0.0-1+deb12u1.dsc
ad25fc670616d62b5b6e69d43d9fd4c7 10600 javascript optional node-form-data_4.0.0-1+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmiLsnMACgkQ9tdMp8mZ
7umdsw//bMyiziuPzTKHnkv/zI2lLNzqsXL1cr8eoAuuSa89zK6VkrHGMfnyEi8/
hDJdZ2mNyPxZhyUptNejIwfI5ntaJ/GqdYEIUlrvftUvq6oSy8QZYnol4rHy9iON
MP7SW40qq5KF4XlIHtWNp8LNgh97a5uFiywzNtFQOvjqBQ/6mS2TTSC5aOoW/daH
kmeUfK3vg3aNWSnxAPxMrToQUNHG3KFs4n00+082tvWNLBm2vusavx0sXi1b90DQ
kQDU6RFFAaZSGIZtK4nYEEsUr86hXUkvI96mY2ceoZs5T/VYayaWFCUfdsPJ3dii
f9F7k7J7caCA5wo8PBxbTkLTnIVJIG8d90iL1FnrIju8LpxqLopEWvhC5nk4DQRF
rrS2J4d5NQH0JlPwy/pbgWg+hzDPlJENVdpvfn9S7Ftibgkys6L44NpmDWN0w00p
83hxLSl9EOcn0UfWMkVCHy7Z901cEuMdOmcbQyrVdVizijhVT8CtJXwQPALgdlEA
TqSVBbAhluseuf2c33lJkZdabBqWA5ONcgkmBa24IQDa7ovWhcfhzwJcsoFa+2bu
MfdBJVgm0r9lcNcttwuC7y71jJuE276cDCyD04SagD+jyTdP3ghs9VSaGR+WWzOZ
S/Xapwe/JherLVuLycam1lv+2ei3C7/BgkFj8npII6OaDGmGPm8=
=m1gx
-----END PGP SIGNATURE-----