Critical Vulnerability in Popular npm form-data Package Used Across Millions of Installs

A critical security vulnerability has been disclosed in the widely used npm package form-data, which sees more than 100 million downloads each week across various projects.

The vulnerability, classified as “Use of Insufficiently Random Values,” affects multiple versions of the package and can lead to HTTP Parameter Pollution (HPP) attacks. While not all applications are directly exposed, projects that rely on form-data for sensitive form submissions or file uploads could face unexpected behavior if they remain on vulnerable versions.

Maintainers have released patches, but a large portion of projects remain vulnerable due to outdated versions or pinned dependencies.

Vulnerability Details#

The issue, tracked as CWE-330 (Use of Insufficiently Random Values), stems from the package’s unsafe method for generating boundary values in multipart/form-data requests. This weakness could allow attackers to manipulate HTTP request boundaries, enabling data injection or parameter pollution under certain conditions.

According to the security advisory, the following versions are vulnerable:

• < 2.5.4
• 3.0.0 – 3.0.3
• 4.0.0 – 4.0.3

The patched versions are 2.5.4, 3.0.4, and 4.0.4. Developers are strongly advised to update immediately or, where possible, migrate to the built-in FormData implementation available in Node.js 18+ and all modern browsers.

The vulnerability was reported by Ben Shonaldmann, who also contributed to the remediation. Longtime Node.js and npm maintainer Jordan Harband reviewed the fix, ensuring a reliable patch for all affected versions.

Widespread Use of form-data Increases Its Ecosystem Impact#

Despite the availability of native FormData APIs, the form-data package remains deeply embedded in the Node.js ecosystem, serving as a dependency for many older tools and frameworks. With over 100 million downloads per week, this vulnerability puts a spotlight on the risks of relying on legacy packages.

This issue also aligns with growing concerns about outdated Node.js versions. As Matteo Collina, a Node.js TSC member, highlighted in his recent JSNation keynote, many developers are still using end-of-life Node.js releases (like v12, v16, and v18) that no longer receive security patches. Collina warned that this combination of unsupported Node.js versions and outdated dependencies creates a dangerous surface for attacks.

Legacy Node.js Versions Amplify the Impact#

The form-data vulnerability is a reminder that even widely trusted, long-standing npm packages can introduce critical security risks if left unmaintained or unpatched. Projects that use older form-data versions in production are particularly vulnerable, especially if coupled with outdated Node.js environments.

Developers who are using the form-data package should:

• Upgrade to the patched versions of form-data (2.5.4+, 3.0.4+, or 4.0.4+).
• Audit their dependency trees to ensure vulnerable versions aren’t included transitively.
• Migrate to built-in FormData APIs in modern Node.js versions where feasible, reducing reliance on third-party packages.

The form-data issue is a reminder that as long as older Node.js versions remain widely used, vulnerabilities in foundational packages can have an outsized impact, especially when outdated environments delay the adoption of built-in, more secure APIs.