Skip to content

chore: upgrade form-data and axios to fix security vulnerabilities #509

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 26, 2025
Merged

chore: upgrade form-data and axios to fix security vulnerabilities #509

merged 1 commit into from
Sep 26, 2025

Conversation

@mainframev
Copy link
Contributor

@mainframev mainframev commented Sep 24, 2025
edited
Loading

from governed repo report about form-data:

form-data uses Math.random() to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker: can observe other values produced by Math.random in the target application, and
can control one field of a request made using form-data
Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request.

axios 1.8.0 -> 1.12.0

When Axios runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response.
This path ignores maxContentLength / maxBodyLength (which only protect HTTP responses), so an attacker can supply a very large data: URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested responseType: 'stream'.

@mainframev mainframev requested a review from a team as a code owner September 24, 2025 11:11
@mainframev mainframev force-pushed the chore/fix-security-viol branch 6 times, most recently from 8ed29e0 to 518460a Compare September 24, 2025 11:48
@mainframev mainframev force-pushed the chore/fix-security-viol branch from 518460a to 65c32fa Compare September 24, 2025 11:58
@mainframev mainframev changed the title chore: upgrade form-data to 4.0.4 to fix security vulnerability chore: upgrade form-data and axios to 4.0.4 to fix security vulnerability Sep 24, 2025
@mainframev mainframev changed the title chore: upgrade form-data and axios to 4.0.4 to fix security vulnerability chore: upgrade form-data and axios to fix security vulnerabilities Sep 24, 2025
@mainframev mainframev self-assigned this Sep 26, 2025
@mainframev mainframev merged commit e536dde into microsoft:main Sep 26, 2025
5 of 6 checks passed
@layershifter layershifter mentioned this pull request Sep 29, 2025
Merged
marcosmoura added a commit to marcosmoura/fluentui-contrib that referenced this pull request Oct 15, 2025
@marcosmoura
Merge branch 'fix/react-draggable-dialog/improve-performance-after-mo…
d11c1a3 
…tion-upgrade' into test/react-draggable-dialog/add-more-complete-test-cases

* fix/react-draggable-dialog/improve-performance-after-motion-upgrade: (32 commits)
  fix: update swc config for tests
  fix: remove eslint comment
  fix: formatting
  fix: upgrade dnd-kit
  fix: revert changes to yarn.lock
  applying package updates
  fix(houdini-utils): Give wrapper element a different id  (microsoft#520)
  applying package updates
  fix(react-virtualizer): add missing react-jsx-runtime dependency (microsoft#518)
  applying package updates
  fix(houdini-utils): make DOM access to utils safe (microsoft#514)
  fix (react-virtualizer): Ensure IO buffer gets removed, not added from calculation (microsoft#516)
  fix (react-virtualizer): Ensure base virtualizer hook recalcs array if numItems change at end (microsoft#515)
  chore: update peer dependencies for React and @types/react to support versions v19 (microsoft#494)
  applying package updates
  fix (react-virtualizer): Ensure accurate positioning for dynamically changing sizes (microsoft#511)
  chore: upgrade form-data and axios to fix security vulnerabilities (microsoft#509)
  applying package updates
  feat (react-virtualizer): Enable complex dynamic virtualization with add and remove items (microsoft#508)
  chore: add cxe-prg to react-virtualizer codeowners (microsoft#510)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcosmoura marcosmoura marcosmoura approved these changes

Assignees

@mainframev mainframev

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mainframev @marcosmoura