Predictable Value Range from Previous Values Vulnerability #13
Description
A critical security vulnerability has been identified by Snyk in the transitive dependency form-data@2.3.3, which is introduced via firebase-electron@1.1.0. The vulnerability is classified as Critical Severity and requires immediate action.
Vulnerability Details
Vulnerability Name: Predictable Value Range from Previous Values
CWE: CWE-343
CVE ID: CVE-2025-7783
CVSS v3.1 Score: 8.7 (High Severity)
CVSS v4.0 Score: 9.4 (Critical Severity)
Affected Package: form-data
Vulnerable Version: form-data@2.3.3
Root Cause and Impact (Overview)
The affected versions of this package are vulnerable to "Predictable Value Range from Previous Values" via the boundary value, which uses Math.random(). An attacker can manipulate HTTP request boundaries by exploiting predictable values, potentially leading to HTTP parameter pollution. A Proof of Concept is available.
Introduction and Fix Information
Introduced Through: firebase-electron@1.1.0
Direct Introduction Path: (via firebase-electron@1.1.0 -> request@2.88.2 -> form-data@2.3.3)
Fix Versions: The vulnerability is fixed in the following versions of the form-data package:
form-data@2.5.4
form-data@3.0.4
form-data@4.0.4
Acceptance Criteria / Definition of Done
The transitive dependency form-data is upgraded to a fixed version (e.g., 4.0.4 or the highest compatible version).
A clean Snyk scan confirms that the Predictable Value Range vulnerability (CVE-2025-7783) is resolved for the project.