[Pkg-javascript-devel] Bug#1109551: Bug#1109551: node-form-data: CVE-2025-7783
Yadd
yadd at debian.org
Sun Jul 27 21:57:44 BST 2025
On 7/27/25 19:29, Pragyansh Chaturvedi wrote:
> Hi
>
> upstream has the fix: https://github.com/form-data/form-data/
> commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0
> while debian has the fix: https://salsa.debian.org/js-team/node-form-
> data/-/commit/cee782f6ff789f389e6ce2f34ae9549d291e85be
>
> These fixes are different. The CVE fix in debian does not have a 50
> character boundary anymore, but a 62 character boundary now.
> This causes autopkgtest failure in node-superagent: https://
> ci.debian.net/packages/n/node-superagent/testing/amd64/62420387/, the
> payload size asserts now fail. This does not allow node-form-data to
> migrate.
> Please use the upstream's fix for this CVE instead of
> crypto.randomUUID() to preserve boundary length and not break other
> packages.
Upstream added a dependency instead of using built-in module, applying
upstream dependency is impossible for Trixie.
More information about the Pkg-javascript-devel
mailing list