Skip to content

Fix CVE-2025-7783: Override form-data to 4.0.5 (merged with master fixes) #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
granatonatalia merged 5 commits into from
Jan 8, 2026
Merged

Fix CVE-2025-7783: Override form-data to 4.0.5 (merged with master fixes) #9

granatonatalia merged 5 commits into from
Jan 8, 2026

Conversation

Copy link

Copilot AI commented Jan 8, 2026
edited
Loading

✅ Structure Fix: Reordered package.json sections

Changes:

  • Reordered package.json to match master's structure
  • Moved "overrides" section before "browser" section
  • No functional changes - all dependencies and overrides remain the same
  • Verified form-data 4.0.5 is still installed (vulnerability fixed)
  • Verified axios 1.13.2 is still installed (SSRF vulnerability fixed)
  • Linting passes

Why This Change:

GitHub was detecting a conflict due to the different ordering of sections in package.json between this branch and master. By matching master's structure exactly (overrides before browser), the conflict is resolved.

Verification:

  • ✅ form-data: 4.0.5 (overridden)
  • ✅ axios: 1.13.2 (overridden)
  • ✅ Linting passes
  • ✅ package.json structure matches master
Original prompt

Security Vulnerability: CVE-2025-7783 in form-data

Issue

Dependabot has identified a security vulnerability in the form-data package (npm). The current version 4.0.0 is vulnerable to boundary prediction attacks due to unsafe use of Math.random().

Reference: Dependabot alert devsecopsmaturitymodel#46

Vulnerability Details

  • Package: form-data (npm)
  • Current Version: 4.0.0 (via transitive dependency)
  • Affected Versions: >= 4.0.0, < 4.0.4
  • Fixed Version: 4.0.4 or higher
  • Dependency Chain: @angular-eslint/builder 13.5.0 → ... → form-data 4.0.0

Problem

The form-data package uses Math.random() to generate boundary values for multipart form-encoded data. Since Math.random() produces predictable pseudo-random values, an attacker who can observe these values could predict future boundaries and inject malicious parameters into requests.

Required Fix

Update the dependency chain to use form-data version 4.0.4 or higher. This can be achieved by:

  1. Primary approach: Update @angular-eslint/builder from version 13.5.0 to a recent version that depends on the patched form-data (version 4.0.4+)

  2. Alternative approach (if direct update causes breaking changes): Use npm overrides to force form-data to version 4.0.4 or higher by adding to package.json:

{
  "overrides": {
    "form-data": ">=4.0.4"
  }
}

Acceptance Criteria

  • form-data is updated to version 4.0.4 or higher
  • package-lock.json reflects the updated dependency version
  • Running npm list form-data shows version 4.0.4 or higher
  • Running npm audit no longer shows this vulnerability
  • All existing tests pass
  • The project builds successfully

Testing

After applying the fix, verify with:

npm list form-data
npm audit
npm run build
npm test

Additional Context

This vulnerability requires specific conditions to be exploited (user-controlled data in form submissions + observable Math.random() values), but should still be addressed to maintain security best practices.

This pull request was created from Copilot chat.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@coderabbitai
Copy link

coderabbitai bot commented Jan 8, 2026

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@granatonatalia granatonatalia marked this pull request as ready for review January 8, 2026 15:01
Copilot AI review requested due to automatic review settings January 8, 2026 15:01
Copilot AI reviewed Jan 8, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@qodo-code-review
Copy link

qodo-code-review bot commented Jan 8, 2026

PR Code Suggestions ✨

No code suggestions found for the PR.

Copilot AI changed the title [WIP] Update form-data package to fix security vulnerability Fix CVE-2025-7783: Override form-data to 4.0.5 Jan 8, 2026
Copilot AI requested a review from granatonatalia January 8, 2026 15:17
@granatonatalia
Copy link

granatonatalia commented Jan 8, 2026

@copilot Resolva os conflitos.

Copy link
Author

Copilot AI commented Jan 8, 2026

@copilot Resolva os conflitos.

Conflitos resolvidos no commit cccaaaa. A branch master foi mesclada, combinando os overrides de form-data e axios. Ambas as vulnerabilidades estão corrigidas:

  • form-data: 4.0.5 ✓
  • axios: 1.13.2 ✓

Copilot AI changed the title Fix CVE-2025-7783: Override form-data to 4.0.5 Fix CVE-2025-7783: Override form-data to 4.0.5 (merged with master fixes) Jan 8, 2026
@granatonatalia
Copy link

granatonatalia commented Jan 8, 2026

@copilot Resolva os conflitos.

Copy link
Author

Copilot AI commented Jan 8, 2026

@copilot Resolva os conflitos.

Conflitos resolvidos no commit dc71e36. A estrutura do package.json foi ajustada para corresponder exatamente à branch master (seção "overrides" antes de "browser"). Nenhuma mudança funcional - as vulnerabilidades continuam corrigidas:

  • form-data: 4.0.5 ✓
  • axios: 1.13.2 ✓

@granatonatalia granatonatalia merged commit 01ee4b7 into master Jan 8, 2026
3 of 5 checks passed
Copilot AI mentioned this pull request Jan 8, 2026
Merged
Copilot AI added a commit that referenced this pull request Jan 8, 2026
@granatonatalia
Resolve merge conflicts with updated master branch (PRs #9-#13)
498e483 
Co-authored-by: granatonatalia <[email protected]>
granatonatalia added a commit that referenced this pull request Jan 8, 2026
@granatonatalia
Resolve merge conflicts in PR #12: Dependabot security fixes (#14)
014270c 
* Initial plan

* Initial analysis and plan for fixing 4 Dependabot security vulnerabilities

Co-authored-by: granatonatalia <[email protected]>

* Implement security fixes: CSP, security audit utility, xlsx→exceljs migration, axios/form-data overrides

Co-authored-by: granatonatalia <[email protected]>

* Fix TypeScript build errors by pinning compatible type definitions

Co-authored-by: granatonatalia <[email protected]>

* Address code review feedback: remove optional chaining and document CSP limitations

Co-authored-by: granatonatalia <[email protected]>

* Resolve merge conflicts with master branch

Co-authored-by: granatonatalia <[email protected]>

* Fix TypeScript error: add optional chaining to eachCell method

Co-authored-by: granatonatalia <[email protected]>

* Resolve merge conflicts with updated master branch (PRs #9-#13)

Co-authored-by: granatonatalia <[email protected]>

* Resolve merge conflicts (third iteration) - maintain type overrides and optional chaining

Co-authored-by: granatonatalia <[email protected]>

* Initial plan

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: granatonatalia <[email protected]>
granatonatalia added a commit that referenced this pull request Jan 8, 2026
@granatonatalia
[WIP] Fix all four Dependabot vulnerabilities (#12)
7e18d01 
* Initial plan

* Initial analysis and plan for fixing 4 Dependabot security vulnerabilities

Co-authored-by: granatonatalia <[email protected]>

* Implement security fixes: CSP, security audit utility, xlsx→exceljs migration, axios/form-data overrides

Co-authored-by: granatonatalia <[email protected]>

* Fix TypeScript build errors by pinning compatible type definitions

Co-authored-by: granatonatalia <[email protected]>

* Address code review feedback: remove optional chaining and document CSP limitations

Co-authored-by: granatonatalia <[email protected]>

* Resolve merge conflicts with master branch

Co-authored-by: granatonatalia <[email protected]>

* Fix TypeScript error: add optional chaining to eachCell method

Co-authored-by: granatonatalia <[email protected]>

* Resolve merge conflicts with updated master branch (PRs #9-#13)

Co-authored-by: granatonatalia <[email protected]>

* Resolve merge conflicts (third iteration) - maintain type overrides and optional chaining

Co-authored-by: granatonatalia <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: granatonatalia <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@granatonatalia granatonatalia Awaiting requested review from granatonatalia

Assignees

Copilot code review Copilot

@granatonatalia granatonatalia

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@granatonatalia