CVE-2025-54371 is a low severity vulnerability with a CVSS score of 0.0. No known public exploits at this time.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
This advisory has been withdrawn because users of Axios 1.10.0 have the flexibility to use a patched version of form-data, the software in which the vulnerability originates, without upgrading Axios to address GHSA-fjxv-7rqg-78g4.
A critical vulnerability exists in the form-data package used by [email protected]. The issue allows an attacker to predict multipart boundary values generated using Math.random(), opening the door to HTTP parameter pollution or injection attacks.
This was submitted in issue #6969 and addressed in pull request #6970.
The vulnerable package [email protected] is used by [email protected] as a transitive dependency. It uses non-secure, deterministic randomness (Math.random()) to generate multipart boundary strings.
This flaw is tracked under Snyk Advisory SNYK-JS-FORMDATA-10841150 and CVE-2025-7783.
Affected form-data versions:
=3.0.0 <3.0.4
=4.0.0 <4.0.4
Since [email protected] pulls in [email protected], it is exposed to this issue.
npm install [email protected]
2.Run snyk test:Tested 104 dependencies for known issues, found 1 issue, 1 vulnerable path.
✗ Predictable Value Range from Previous Values [Critical Severity]
in [email protected] via [email protected] > [email protected]
This could potentially allow attackers to:
Pull Request #xxxx (replace with actual link)
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.