aem-upload icon indicating copy to clipboard operation
aem-upload copied to clipboard
verified publisher icon adobe

Security: Indirect dependency on vulnerable form-data (CVE-2025-7783) via node-httptransfer

Open JeremiahSteidinger opened this issue 1 month ago • 0 comments

This project currently depends on @adobe/node-httptransfer, which itself depends on a vulnerable version of the form-data package that is affected by CVE-2025-7783. This is a critical security vulnerability in the form-data module caused by insufficiently random boundary values, which can enable HTTP Parameter Pollution attacks.

Details

  • CVE: CVE-2025-7783 — insufficient randomness in multipart boundary values, leading to potential HTTP Parameter Pollution.
  • Severity: Critical (CVSS base score reported high/critical by multiple trackers).
  • Affected package: form-data versions including 4.0.0
  • Because aem-upload includes node-httptransfer, projects consuming aem-upload may transitively install a vulnerable form-data version unless it is updated or overridden.

JeremiahSteidinger avatar Jan 16 '26 20:01 JeremiahSteidinger