🚨 [security] [js] Update axios 1.10.0 → 1.11.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ axios (1.10.0 → 1.11.0) · Repo · Changelog

Security Advisories 🚨

🚨 Axios has Transitive Critical Vulnerability via form-data — Predictable Boundary Values (CVE-2025-7783)

Summary

A critical vulnerability exists in the form-data package used by axios@1.10.0. The issue allows an attacker to predict multipart boundary values generated using Math.random(), opening the door to HTTP parameter pollution or injection attacks.

This was submitted in issue #6969 and addressed in pull request #6970.

Details

The vulnerable package form-data@4.0.0 is used by axios@1.10.0 as a transitive dependency. It uses non-secure, deterministic randomness (Math.random()) to generate multipart boundary strings.

This flaw is tracked under Snyk Advisory SNYK-JS-FORMDATA-10841150 and CVE-2025-7783.

Affected form-data versions:

• <2.5.4

• =3.0.0 <3.0.4

• =4.0.0 <4.0.4

Since axios@1.10.0 pulls in form-data@4.0.0, it is exposed to this issue.

PoC

1. Install Axios: - npm install axios@1.10.0
   2.Run snyk test:

Tested 104 dependencies for known issues, found 1 issue, 1 vulnerable path.
✗ Predictable Value Range from Previous Values [Critical Severity]

in form-data@4.0.0 via axios@1.10.0 > form-data@4.0.0

3. Trigger a multipart/form-data request. Observe the boundary header uses predictable random values, which could be exploited in a targeted environment.

Impact

• Vulnerability Type: Predictable Value / HTTP Parameter Pollution
• Risk: Critical (CVSS 9.4)
• Impacted Users: Any application using axios@1.10.0 to submit multipart form-data

This could potentially allow attackers to:

• Interfere with multipart request parsing
• Inject unintended parameters
• Exploit backend deserialization logic depending on content boundaries

Related Links

GitHub Issue #6969

Pull Request #xxxx (replace with actual link)

Snyk Advisory

form-data on npm

Commits

See the full diff on Github. The new version differs by 10 commits:

• chore(release): v1.11.0 (#6974)
• fix: form-data npm pakcage (#6970)
• fix(types): resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956)
• fix: prevent RangeError when using large Buffers (#6961)
• refactor: use spread operator instead of '.apply()' (#6938)
• refactor: use an object spread instead of Object.assign (#6939)
• chore(sponsor): update sponsor block (#6952)
• docs(CONTRIBUTING): update docs link for accuracy (#6894)
• chore(sponsor): update sponsor block (#6948)
• chore(sponsor): update sponsor block (#6937)

↗️ form-data (indirect, 4.0.3 → 4.0.4) · Repo

Security Advisories 🚨

🚨 form-data uses unsafe random function in form-data for choosing boundary

Summary

form-data uses Math.random() to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker:

1. can observe other values produced by Math.random in the target application, and
2. can control one field of a request made using form-data

Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request.

This is largely the same vulnerability as was recently found in undici by parrot409 -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work.

Details

The culprit is this line here:

form-data/lib/form_data.js

Line 347 in 426ba9a

    <tbody>

boundary += Math.floor(Math.random() * 10).toString(16);

An attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a x-request-id header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. Math.random() is a fine place to get these sorts of IDs (in fact, opentelemetry uses Math.random for this purpose)

PoC

PoC here: https://github.com/benweissmann/CVE-2025-7783-poc

Instructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID).

Impact

For an application to be vulnerable, it must:

• Use form-data to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array)
• Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values.

If an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.

Commits

See the full diff on Github. The new version differs by 8 commits:

• v4.0.4
• [meta] actually ensure the readme backup isn’t published
• [meta] fix readme capitalization
• [meta] add `auto-changelog`
• [Tests] fix linting errors
• [Tests] handle predict-v8-randomness failures in node < 17 and node > 23
• [Dev Deps] update `@ljharb/eslint-config`
• [Fix] Switch to using `crypto` random for boundary values

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Join our Discord community for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[depfu]

Closed in favor of #18.

[depfu]

Closed in favor of #18.

[depfu]

Closed in favor of #18.

[depfu]

Closed in favor of #18.