🚨 [security] New version of axios (1.11.0) broke the build

[depfu]

We've tested your project with an updated dependency and the build failed.

This version is either within the version range you specified or you haven't specified a version/range. To be able to test your project with the new version, we've taken the liberty of pinning the version for this branch and pull request.

name	version specification	new version
axios	^1.7.7	1.11.0

Unfortunately, we encountered failing tests after pinning. This means that this new version is not compatible with your project and the test failure will potentially also happen on fresh installs.

If you have correctly specified a semantic versioning version range, you should probably also file an issue with the upstream project as they might have released an update that's breaking SemVer rules, which is not cool. (But then again, not all projects explicitly follow SemVer)

We've left the pull request open for you to investigate this issue. Please don't merge it as is, because, again, we've pinned the version of axios for this test run.

What changed?

✳️ axios (^1.7.7 → 1.11.0) · Repo · Changelog

Security Advisories 🚨

🚨 Axios has Transitive Critical Vulnerability via form-data — Predictable Boundary Values (CVE-2025-7783)

Summary

A critical vulnerability exists in the form-data package used by [email protected]. The issue allows an attacker to predict multipart boundary values generated using Math.random(), opening the door to HTTP parameter pollution or injection attacks.

This was submitted in issue #6969 and addressed in pull request #6970.

Details

The vulnerable package [email protected] is used by [email protected] as a transitive dependency. It uses non-secure, deterministic randomness (Math.random()) to generate multipart boundary strings.

This flaw is tracked under Snyk Advisory SNYK-JS-FORMDATA-10841150 and CVE-2025-7783.

Affected form-data versions:

• <2.5.4

• =3.0.0 <3.0.4

• =4.0.0 <4.0.4

Since [email protected] pulls in [email protected], it is exposed to this issue.

PoC

1. Install Axios: - npm install [email protected]
   2.Run snyk test:

Tested 104 dependencies for known issues, found 1 issue, 1 vulnerable path.
✗ Predictable Value Range from Previous Values [Critical Severity]

in [email protected] via [email protected] > [email protected]

3. Trigger a multipart/form-data request. Observe the boundary header uses predictable random values, which could be exploited in a targeted environment.

Impact

• Vulnerability Type: Predictable Value / HTTP Parameter Pollution
• Risk: Critical (CVSS 9.4)
• Impacted Users: Any application using [email protected] to submit multipart form-data

This could potentially allow attackers to:

• Interfere with multipart request parsing
• Inject unintended parameters
• Exploit backend deserialization logic depending on content boundaries

Related Links

GitHub Issue #6969

Pull Request #xxxx (replace with actual link)

Snyk Advisory

form-data on npm

Release Notes

1.11.0

Release notes:

Bug Fixes

• form-data npm pakcage (#6970) (e72c193)
• prevent RangeError when using large Buffers (#6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani
• Noritaka Kobayashi
• James Nail
• Tejaswi1305

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• chore(release): v1.11.0 (#6974)
• fix: form-data npm pakcage (#6970)
• fix(types): resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956)
• fix: prevent RangeError when using large Buffers (#6961)
• refactor: use spread operator instead of '.apply()' (#6938)
• refactor: use an object spread instead of Object.assign (#6939)
• chore(sponsor): update sponsor block (#6952)
• docs(CONTRIBUTING): update docs link for accuracy (#6894)
• chore(sponsor): update sponsor block (#6948)
• chore(sponsor): update sponsor block (#6937)

[depfu]

Closed in favor of #344.