From Salvatore Bonaccorso@21:1/5 to All on Sat Jul 19 23:00:01 2025
Source: node-form-data
Version: 4.0.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-form-data.
CVE-2025-7783[0]:
| Use of Insufficiently Random Values vulnerability in form-data
| allows HTTP Parameter Pollution (HPP). This vulnerability is
| associated with program files lib/form_data.Js. This issue affects
| form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
These fixes are different. The CVE fix in debian does not have a 50
character boundary anymore, but a 62 character boundary now.
This causes autopkgtest failure in node-superagent: https://ci.debian.net/packages/n/node-superagent/testing/amd64/62420387/,
the payload size asserts now fail. This does not allow node-form-data to migrate.
Please use the upstream's fix for this CVE instead of
crypto.randomUUID() to preserve boundary length and not break other
packages.
These fixes are different. The CVE fix in debian does not have a 50
character boundary anymore, but a 62 character boundary now.
This causes autopkgtest failure in node-superagent: https://ci.debian.net/packages/n/node-superagent/testing/amd64/62420387/,
the payload size asserts now fail. This does not allow node-form-data to migrate.
Please use the upstream's fix for this CVE instead of
crypto.randomUUID() to preserve boundary length and not break other
packages.