form-data boundary randomness vulnerability (CVE-2025-7783)

Largely based on https://hackerone.com/reports/2913312 by https://hackerone.com/parrot409?type=user

Installing:

npm install
Make sure you have python3 installed with the z3 module (pip3 install -r requirements.txt) -- the exploit code shells out to python3 to predict the next random value

Running:

In parallel, run:

npm run start-backend (the backend server that will receive the manipulated request)
npm run start-vulnerable-server (the frontend server that can be tricked into sending a manipulated request)
npm run exploit (the client code that crafts and sends the exploit)

In the stdout of npm run backend, you should see a request with is_admin: true (despite the code in vulnerable-server.js never intending to add an is_admin parameter to the API call)

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
.gitignore		.gitignore
.tool-versions		.tool-versions
README.md		README.md
backend.js		backend.js
exploit.js		exploit.js
package-lock.json		package-lock.json
package.json		package.json
predict.py		predict.py
requirements.txt		requirements.txt
vulnerable-server.js		vulnerable-server.js

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

form-data boundary randomness vulnerability (CVE-2025-7783)

About

Uh oh!

Releases

Packages

Languages

benweissmann/CVE-2025-7783-poc

Folders and files

Latest commit

History

Repository files navigation

form-data boundary randomness vulnerability (CVE-2025-7783)

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages