GHSA-rm8p-cx58-hcvx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rm8p-cx58-hcvx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-rm8p-cx58-hcvx/GHSA-rm8p-cx58-hcvx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rm8p-cx58-hcvx
- Aliases
-
- CVE-2025-54371
- Related
- Withdrawn
- 2025-07-24T13:35:30Z
- Published
- 2025-07-23T16:49:38Z
- Modified
- 2026-02-04T04:10:03.522259Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Withdrawn Advisory: Axios has Transitive Critical Vulnerability via form-data
- Details
-
Withdrawn Advisory
This advisory has been withdrawn because users of Axios 1.10.0 have the flexibility to use a patched version of form-data, the software in which the vulnerability originates, without upgrading Axios to address GHSA-fjxv-7rqg-78g4.
Original Description
A critical vulnerability exists in the form-data package used by
axios@1.10.0. The issue allows an attacker to predict multipart boundary values generated usingMath.random(), opening the door to HTTP parameter pollution or injection attacks.This was submitted in issue #6969 and addressed in pull request #6970.
Details
The vulnerable package
form-data@4.0.0is used byaxios@1.10.0as a transitive dependency. It uses non-secure, deterministic randomness (Math.random()) to generate multipart boundary strings.This flaw is tracked under Snyk Advisory SNYK-JS-FORMDATA-10841150 and CVE-2025-7783.
Affected
form-dataversions: - <2.5.4 - >=3.0.0 <3.0.4 - >=4.0.0 <4.0.4Since
axios@1.10.0pulls inform-data@4.0.0, it is exposed to this issue.PoC
- Install Axios: -
npm install axios@1.10.02.Runsnyk test:Tested 104 dependencies for known issues, found 1 issue, 1 vulnerable path. ✗ Predictable Value Range from Previous Values [Critical Severity] in form-data@4.0.0 via axios@1.10.0 > form-data@4.0.0 - Trigger a multipart/form-data request. Observe the boundary header uses predictable random values, which could be exploited in a targeted environment.
Impact
- Vulnerability Type: Predictable Value / HTTP Parameter Pollution
- Risk: Critical (CVSS 9.4)
- Impacted Users: Any application using axios@1.10.0 to submit multipart form-data
This could potentially allow attackers to: - Interfere with multipart request parsing - Inject unintended parameters - Exploit backend deserialization logic depending on content boundaries
Related Links
Pull Request #xxxx (replace with actual link)
- Install Axios: -
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2025-07-23T16:49:38Z", "severity": "HIGH", "nvd_published_at": "2025-07-23T21:15:26Z", "cwe_ids": [] }- References
-
- https://github.com/axios/axios/security/advisories/GHSA-rm8p-cx58-hcvx
- https://nvd.nist.gov/vuln/detail/CVE-2025-54371
- https://nvd.nist.gov/vuln/detail/CVE-2025-7783
- https://github.com/axios/axios/issues/6969
- https://github.com/axios/axios/pull/6970
- https://github.com/advisories/GHSA-fjxv-7rqg-78g4
- https://github.com/axios/axios
- https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150
Affected packages
npm / axios
Package
- Name
- axios
- View open source insights on deps.dev
- Purl
- pkg:npm/axios