7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54371

GHSA ID

GHSA-rm8p-cx58-hcvx

EPSS Score

CWE

Published

7/23/2025

Updated

7/24/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54371

CVE-2025-54371: Withdrawn Advisory: Axios has Transitive Critical Vulnerability via form-data

Withdrawn Advisory

This advisory has been withdrawn because users of Axios 1.10.0 have the flexibility to use a patched version of form-data, the software in which the vulnerability originates, without upgrading Axios to address GHSA-fjxv-7rqg-78g4.

Original Description

A critical vulnerability exists in the form-data package used by axios@1.10.0. The issue allows an attacker to predict multipart boundary values generated using Math.random(), opening the door to HTTP parameter pollution or injection attacks.

This was submitted in issue #6969 and addressed in pull request #6970.

Details

The vulnerable package form-data@4.0.0 is used by axios@1.10.0 as a transitive dependency. It uses non-secure, deterministic randomness (Math.random()) to generate multipart boundary strings.

This flaw is tracked under Snyk Advisory SNYK-JS-FORMDATA-10841150 and CVE-2025-7783.

Affected form-data versions:

<2.5.4
=3.0.0 <3.0.4
=4.0.0 <4.0.4

Since axios@1.10.0 pulls in form-data@4.0.0, it is exposed to this issue.

PoC

Install Axios: - npm install axios@1.10.0 2.Run snyk test:

Tested 104 dependencies for known issues, found 1 issue, 1 vulnerable path.

✗ Predictable Value Range from Previous Values [Critical Severity]
in form-data@4.0.0 via axios@1.10.0 > form-data@4.0.0

Trigger a multipart/form-data request. Observe the boundary header uses predictable random values, which could be exploited in a targeted environment.

Impact

Vulnerability Type: Predictable Value / HTTP Parameter Pollution
Risk: Critical (CVSS 9.4)
Impacted Users: Any application using axios@1.10.0 to submit multipart form-data

This could potentially allow attackers to:

Interfere with multipart request parsing
Inject unintended parameters
Exploit backend deserialization logic depending on content boundaries

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54371

GHSA ID

GHSA-rm8p-cx58-hcvx

EPSS Score

CWE

Published

7/23/2025

Updated

7/24/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
axios	npm	= 1.10.0	1.11.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is not in the Axios codebase itself, but in a transitive dependency, form-data. The vulnerability lies in the form-data package's use of Math.random() for generating multipart boundaries, which is predictable. The fix applied to Axios was to update the form-data dependency from version 4.0.0 to 4.0.4 in package.json and package-lock.json. This is evident from the commit 53c1606737e2b8c541b5c1dc801180cda4313961. Since the flaw is not in Axios's own functions, no vulnerable functions from the axios package can be identified. The exploitation would occur when an application uses axios to send multipart form data, which in turn calls the vulnerable code within the form-data library. Without analyzing the form-data package's source code, it is not possible to identify the specific vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Wit**r*wn **visory T*is **visory **s ***n wit**r*wn ****us* us*rs o* *xios *.**.* **v* t** *l*xi*ility to us* * p*t**** v*rsion o* *orm-**t*, t** so*tw*r* in w*i** t** vuln*r**ility ori*in*t*s, wit*out up*r**in* *xios to ***r*ss **S*-*jxv-*rq*-**

Reasoning

T** vuln*r**ility is not in t** *xios *o****s* its*l*, *ut in * tr*nsitiv* **p*n**n*y, `*orm-**t*`. T** vuln*r**ility li*s in t** `*orm-**t*` p**k***'s us* o* `M*t*.r*n*om()` *or **n*r*tin* multip*rt *oun**ri*s, w*i** is pr**i*t**l*. T** *ix *ppli**

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-54371: Withdrawn Advisory: Axios has Transitive Critical Vulnerability via form-data

Withdrawn Advisory

Original Description

Details

PoC

Impact

Related Links

7.5

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Detect and Respond To Threats Faster.

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-54371: Withdrawn Advisory: Axios has Transitive Critical Vulnerability via form-data

Withdrawn Advisory

Original Description

Details

PoC

Impact

Related Links

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI