[Pkg-javascript-devel] Bug#1109551: Bug#1109551: node-form-data: CVE-2025-7783

Yadd yadd at debian.org
Sun Jul 27 21:57:44 BST 2025


On 7/27/25 19:29, Pragyansh Chaturvedi wrote:
> Hi
> 
> upstream has the fix: https://github.com/form-data/form-data/ 
> commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0
> while debian has the fix: https://salsa.debian.org/js-team/node-form- 
> data/-/commit/cee782f6ff789f389e6ce2f34ae9549d291e85be
> 
> These fixes are different. The CVE fix in debian does not have a 50 
> character boundary anymore, but a 62 character boundary now.
> This causes autopkgtest failure in node-superagent: https:// 
> ci.debian.net/packages/n/node-superagent/testing/amd64/62420387/, the 
> payload size asserts now fail. This does not allow node-form-data to 
> migrate.
> Please use the upstream's fix for this CVE instead of 
> crypto.randomUUID() to preserve boundary length and not break other 
> packages.

Upstream added a dependency instead of using built-in module, applying 
upstream dependency is impossible for Trixie.



More information about the Pkg-javascript-devel mailing list