CyberSecurityBoard
Sponsor Register Login

Critical Vulnerability in JavaScript Library Exposes Millions of Apps to Code Execution Attacks

The vulnerability, assigned CVE-2025-7783, stems from the library’s use of the predictable Math.random() function to generate boundary values for multipart form-encoded data, allowing attackers to manipulate HTTP requests and inject malicious parameters into backend systems. Additionally, security teams should review applications for other instances where Math.random() values might be observable to potential attackers, as this represents a broader class of vulnerability beyond the specific form-data issue. Security researchers have demonstrated that by observing other Math.random() values produced by the target application, attackers can determine the PRNG state and predict future boundary values with high accuracy. This implementation uses JavaScript’s Math.random() function, which generates pseudo-random numbers that are predictable when an attacker can observe sequential values from the same pseudo-random number generator (PRNG) state. Common scenarios include applications that generate request IDs using Math.random() for distributed tracing, similar to how OpenTelemetry implements random ID generation for correlation across frontend and backend systems. The patches replace the predictable Math.random() implementation with cryptographically secure random number generation for boundary value creation. form-data library uses predictable Math.random(), enabling parameter injection attacks.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 23 Jul 2025 13:35:05 +0000


Cyber News related to Critical Vulnerability in JavaScript Library Exposes Millions of Apps to Code Execution Attacks

ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store - On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc. ChatGPT, the AI software, has already taken the Internet by storm, and that is why ...
2 years ago Hackread.com Everest
Data Insecurity: Experts Sound the Alarm on 4 Apps Putting User Privacy at Risk - Even though many of us rely on apps to entertain us, guide us, manage our exercise, and connect with family and friends, they are notoriously hard to trust. In an age when technology is constantly evolving, it is almost impossible to tell if a ...
1 year ago Cysecurity.news
Malicious Android 'Vapor' apps on Google Play installed 60 million times - Although all of these apps have since been removed from Google Play, there's a significant risk that Vapor will return through new apps as the threat actors have already demonstrated the ability to bypass Google's review process. Bitdefender ...
4 months ago Bleepingcomputer.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
Halting Hackers on the Holidays 2023 Part II: The Apps You Trust - Most free flashlight apps are creepware - also known as malware that spies on you and your online behavior and could pass along information to others. The problem doesn't begin and end with flashlight apps, though. Many seemingly innocuous apps that ...
1 year ago Cyberdefensemagazine.com
Google Online Security Blog: I/O 2024: What's new in Android security and privacy - As their tactics evolve in sophistication and scale, we continually adapt and enhance our advanced security features and AI-powered protections to help keep Android users safe. Today, we're announcing more new fraud and scam protection features ...
1 year ago Security.googleblog.com Cloak
The mystery of the targeted ad and the library patron The Register - Feature In April, attorney Christine Dudley was listening to a book on her iPhone while playing a game on her Android tablet when she started to see in-game ads that reflected the audiobooks she recently checked out of the San Francisco Public ...
1 year ago Go.theregister.com
Ushering in the Next Phase of Mobile App Adoption: Bolstering Growth with Unyielding Security - In recent years, mobile apps have surged in popularity providing consumers with instant access to a variety of life essentials such as finances, education, and healthcare to life's pleasures such as shopping, sports, and gaming. With the popularity ...
1 year ago Cyberdefensemagazine.com
This year's resolution: remove nosey apps from your device - Some apps are plain greedy-like a stranger you invite for a meal who insists on ordering everything on the menu. Here's what upset me: After I downloaded the companion app that helps control it for my phone, the app wanted permission to make and ...
1 year ago Blog.avast.com
10 Key Things You Need to Know About the Sophisticated Vastflux Ad Fraud Scheme - At the end of April 2015, researchers from Distil Networks reported the discovery of a sophisticated ad fraud network, Vastflux, which had been around since at least January 2014. The network used sophisticated malware targeting both iOS and Android ...
2 years ago Securityweek.com
10 Ways a Digital Shield Protects Apps and APIs - While far from perfect, this approach provided multilayer security defenses to protect apps and APIs. As network architectures gradually became more complex, so did protecting apps and APIs. The on-premises enterprise environment gave way to a hybrid ...
1 year ago Darkreading.com
Android App Security Alert: Proactive Measures to Prevent Unauthorized Control - The latest security alert comes from Microsoft's team who discovered a new vulnerability that may give hackers complete control of your smartphone. The latest security alert is triggered by the discovery of a new security flaw which can allow hackers ...
1 year ago Cysecurity.news
Ontario public library shuts down most services due to cyberattack - A popular library in Ontario, Canada was forced to shut down most of its services this week due to a cyberattack - the latest library to face issues after hackers infiltrated its systems. The London Public Library, which services the Canadian city's ...
1 year ago Therecord.media
Alert: iPhone Push Notifications Exploited Users Data - The security researcher found users privacy concerns in iPhone push notifications, the apps accessing the accelerometer. It also details some privacy concerns regarding app access to this sensor. Some apps have been found to collect accelerometer ...
1 year ago Hackersonlineclub.com
Rhysida ransomware gang claims British Library cyberattack - The Rhysida ransomware gang has claimed responsibility for a cyberattack on the British Library in October, which has caused a major ongoing IT outage. Rhysida is auctioning off the data it reportedly stole from the United Kingdom's national library ...
1 year ago Bleepingcomputer.com Rhysida Medusa
17 Risky Apps Threatening Your Smartphone Security - Users of Google Android and Apple iPhone smartphones have recently received a vital warning to immediately remove certain apps from their devices. The programs that were found to be potentially dangerous have been marked as posing serious concerns to ...
1 year ago Cysecurity.news
Critical bug in ownCloud file sharing app exposes admin passwords - Open source file sharing software ownCloud is warning of three critical-severity security vulnerabilities, including one that can expose administrator passwords and mail server credentials. OwnCloud is an open-source file sync and sharing solution ...
1 year ago Bleepingcomputer.com CVE-2023-49103
Ten new Android banking trojans targeted 985 bank apps in 2023 - This year has seen the emergence of ten new Android banking malware families, which collectively target 985 bank and fintech/trading apps from financial institutes across 61 countries. Banking trojans are malware that targets people's online bank ...
1 year ago Bleepingcomputer.com
How ID Scanning Apps Can Prevent Fraud - One effective solution is the use of ID scanning applications. These apps provide businesses with an efficient method to verify customer identities and reduce the risk of fraud. In this article, we will explore how ID scanning apps help prevent fraud ...
1 year ago Hackread.com
Toronto Public Library 'remains a crime scene' after ransomware attack - The Toronto Public Library is still in the process of recovering from a ransomware attack that limited its offerings and required wholesale changes to how the organization runs. Toronto City Librarian Vickery Bowles published a lengthy note on ...
1 year ago Therecord.media
Pig Butchering: Fake Trading Apps Target Crypto on Apple, Google Play Stores - Pig Butchering scam targets crypto users with fake trading apps on Apple and Google Play Stores. These apps, found on Apple’s App Store and Google Play, and on phishing sites, are part of a Pig Butchering scam targeting cryptocurrency investors ...
9 months ago Hackread.com
Ransomware takes British Library goes offline - When the British Library was infected with ransomware, few could have predicted how damaging the attack would be. A month later, the Library's IT systems are still offline - and now hackers are threatening to sell stolen personal data too. On 31st ...
1 year ago Pandasecurity.com Rhysida
Over 90 malicious Android apps with 5.5M installs found on Google Play - Over 90 malicious Android apps were found installed over 5.5 million times through Google Play to deliver malware and adware, with the Anatsa banking trojan seeing a recent surge in activity. Anatsa is a banking trojan that targets over 650 ...
1 year ago Bleepingcomputer.com
Microsoft Disables Verified Partner Accounts Used for OAuth Phishing - Microsoft has disabled multiple fraudulent, verified Microsoft Partner Network accounts for creating malicious OAuth applications that breached organizations cloud environments to steal email. In a joint announcement between Microsoft and Proofpoint, ...
2 years ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)