Aikido Patches Critical Randomness Flaw in form-data Library, Resolving CVE-2025-7783

Aikido has resolved a critical vulnerability in the popular form-data npm library through a minor version upgrade from 4.0.0 to 4.0.4. The security flaw, tracked as CVE-2025-7783, stems from the use of insufficiently random values that expose applications to HTTP Parameter Pollution (HPP) attacks. The vulnerability was identified through Aikido's automated security scanning platform, which flagged the weakness in the lib/form_data.js program file.

The HPP vulnerability allows attackers to manipulate web application behavior by exploiting inconsistent parameter handling across different platforms and frameworks. This can lead to bypassing validation logic, corrupting database queries, or triggering unexpected application responses. Affected versions include form-data versions below 2.5.4, between 3.0.0 and 3.0.3, and between 4.0.0 and 4.0.3. The upgrade to version 4.0.4 addresses the randomness weakness without introducing breaking changes, allowing affected projects to patch immediately with minimal integration risk.

Developers using form-data in production environments are advised to audit their dependency trees and confirm they are running version 4.0.4 or later. The vulnerability carries a critical severity rating, indicating potential for significant impact in applications that process user-submitted form data without sufficient sanitization. Aikido's associated Linear issue (ECO-252) tracks the upgrade process internally, reflecting the systematic approach taken to remediate the exposure.