form-data Boundary Value Prediction Vulnerability Allowing HTTP Parameter Pollution

A vulnerability in the form-data package, specifically in versions prior to 2.5.4, 3.0.0 through 3.0.3, and 4.0.0 through 4.0.3, allows for HTTP Parameter Pollution (HPP) due to the use of insufficiently random values. The vulnerability arises because form-data uses Math.random() to generate boundary values for multipart form data. This can be exploited by an attacker who can predict the output of Math.random() and inject additional parameters into the request by crafting a payload that includes a predicted boundary value.

Impact

Exploitation of this vulnerability could lead to arbitrary requests being made to internal systems, potentially allowing for unauthorized actions or access.

Reproduction

To reproduce this vulnerability, observe the output of Math.random() in the target application to predict future values. Then, use form-data to send a request that includes a crafted boundary value based on the predicted output. This can be done by injecting the boundary value into a field of the request, which may overwrite or append to existing parameters, depending on how the server handles multipart data.

Remediation

Users can update to form-data versions 4.0.4, 3.0.4, or 2.5.4, which have patched this vulnerability.