A critical flaw in the popular npm form-data package could allow HTTP parameter pollution, affecting millions of projects until patched versions are adopted.
July 22, 2025
2 min read
A critical security vulnerability has been disclosed in the widely used npm package form-data, which sees more than 100 million downloads each week across various projects.
The vulnerability, classified as “Use of Insufficiently Random Values,” affects multiple versions of the package and can lead to HTTP Parameter Pollution (HPP) attacks. While not all applications are directly exposed, projects that rely on form-data for sensitive form submissions or file uploads could face unexpected behavior if they remain on vulnerable versions.
Maintainers have released patches, but a large portion of projects remain vulnerable due to outdated versions or pinned dependencies.
The issue, tracked as CWE-330 (Use of Insufficiently Random Values), stems from the package’s unsafe method for generating boundary values in multipart/form-data requests. This weakness could allow attackers to manipulate HTTP request boundaries, enabling data injection or parameter pollution under certain conditions.
According to the security advisory, the following versions are vulnerable:
The patched versions are 2.5.4, 3.0.4, and 4.0.4. Developers are strongly advised to update immediately or, where possible, migrate to the built-in FormData implementation available in Node.js 18+ and all modern browsers.
The vulnerability was reported by Ben Shonaldmann, who also contributed to the remediation. Longtime Node.js and npm maintainer Jordan Harband reviewed the fix, ensuring a reliable patch for all affected versions.
Despite the availability of native FormData APIs, the form-data package remains deeply embedded in the Node.js ecosystem, serving as a dependency for many older tools and frameworks. With over 100 million downloads per week, this vulnerability puts a spotlight on the risks of relying on legacy packages.
source: https://npm.chart.dev/form-data
This issue also aligns with growing concerns about outdated Node.js versions. As Matteo Collina, a Node.js TSC member, highlighted in his recent JSNation keynote, many developers are still using end-of-life Node.js releases (like v12, v16, and v18) that no longer receive security patches. Collina warned that this combination of unsupported Node.js versions and outdated dependencies creates a dangerous surface for attacks.
The form-data vulnerability is a reminder that even widely trusted, long-standing npm packages can introduce critical security risks if left unmaintained or unpatched. Projects that use older form-data versions in production are particularly vulnerable, especially if coupled with outdated Node.js environments.
Developers who are using the form-data package should:
form-data (2.5.4+, 3.0.4+, or 4.0.4+).FormData APIs in modern Node.js versions where feasible, reducing reliance on third-party packages.The form-data issue is a reminder that as long as older Node.js versions remain widely used, vulnerabilities in foundational packages can have an outsized impact, especially when outdated environments delay the adoption of built-in, more secure APIs.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Research
/Security News
Bitwarden CLI 2026.4.0 was compromised in the Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline.
Research
/Security News
Docker and Socket have uncovered malicious Checkmarx KICS images and suspicious code extension releases in a broader supply chain compromise.
Security News
NIST will stop enriching most CVEs under a new risk-based model, narrowing the NVD's scope as vulnerability submissions continue to surge.